TYPO3 Security Misconfiguration in Install Tool Cookie

2024-05-3015:11:42

CWE-1004

GitHub Advisory Database

github.com

typo3

security misconfiguration

install tool

http

vulnerabilities

cross-site scripting

session hijacking

6.6 Medium

AI Score

Confidence

High

JSON

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

Affected configurations

Vulners

Node

typo3cms_poll_system_extensionRange<7.6.32

typo3cms_poll_system_extensionRange<9.5.2

typo3cms_poll_system_extensionRange<8.7.21

CPENameOperatorVersion
typo3/cms-corelt7.6.32
typo3/cms-corelt9.5.2
typo3/cms-corelt8.7.21

Name	Operator	Version
typo3/cms-core	lt	7.6.32
typo3/cms-core	lt	9.5.2
typo3/cms-core	lt	8.7.21

References

github.com/advisories/GHSA-ppvg-hw62-6ph9

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2018-12-11-4.yaml

typo3.org/security/advisory/typo3-core-sa-2018-009

6.6 Medium

AI Score

Confidence

High

JSON