TYPO3 Security Misconfiguration in Install Tool Cookie

2024-06-0719:52:43

CWE-1004

GitHub Advisory Database

github.com

typo3

install tool

security misconfiguration

http

cross-site scripting

session hijacking

vulnerability

AI Score

6.6

Confidence

High

JSON

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

Affected configurations

Vulners

Node

typo3typo3_cmsRange9.0.0–9.5.2

typo3typo3_cmsRange8.0.0–8.7.21

typo3typo3_cmsRange7.0.0–7.6.32

VendorProductVersionCPE
typo3typo3_cms*cpe:2.3:a:typo3:typo3_cms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
typo3	typo3_cms	*	cpe:2.3:a:typo3:typo3_cms::::::::

References

github.com/advisories/GHSA-f777-f784-36gm

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-12-11-4.yaml

github.com/TYPO3/typo3/commit/13328b0f74ac589a20b021db814dfa672581c26a

github.com/TYPO3/typo3/commit/918e50e4d20d88c7e40ad3bb134267d07706b0b1

github.com/TYPO3/typo3/commit/a5359491e3fb3164a6ba96a66c8e67fbb9971a4c

typo3.org/security/advisory/typo3-core-sa-2018-009

AI Score

6.6

Confidence

High

JSON