TYPO3 Insufficient Session Expiration Vulnerability (TYPO3-CORE-SA-2022-014)

# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE = "cpe:/a:typo3:typo3";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.126252");
  script_version("2023-10-19T05:05:21+0000");
  script_tag(name:"last_modification", value:"2023-10-19 05:05:21 +0000 (Thu, 19 Oct 2023)");
  script_tag(name:"creation_date", value:"2022-12-14 09:26:09 +0000 (Wed, 14 Dec 2022)");
  script_tag(name:"cvss_base", value:"5.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2022-12-16 17:55:00 +0000 (Fri, 16 Dec 2022)");

  script_cve_id("CVE-2022-23502");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("TYPO3 Insufficient Session Expiration Vulnerability (TYPO3-CORE-SA-2022-014)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2022 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_typo3_http_detect.nasl");
  script_mandatory_keys("typo3/detected");

  script_tag(name:"summary", value:"TYPO3 is prone to an insufficient session expiration
  vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"When users reset their password using the corresponding
  password recovery functionality, existing sessions for that particular user account were not
  revoked. This applied to both frontend user sessions and backend user sessions.");

  script_tag(name:"affected", value:"TYPO3 version 10.0.0 through 10.4.32, 11.0.0 through 11.5.19
  and 12.0.0 through 12.1.0.");

  script_tag(name:"solution", value:"Update to version 10.4.33, 11.5.20, 12.1.1 or later.

  Note: Since version 12.1.1 contains a known regression, vendor suggests to use 12.1.2 instead.");

  script_xref(name:"URL", value:"https://typo3.org/article/typo3-1211-11520-and-10433-security-releases-published");
  script_xref(name:"URL", value:"https://typo3.org/security/advisory/typo3-core-sa-2022-014");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE, version_regex: "[0-9]+\.[0-9]+\.[0-9]+")) # nb: Version might not be exact enough
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range_exclusive(version: version, test_version_lo: "10.0", test_version_up: "10.4.33")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "10.4.33", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "11.0", test_version_up: "11.5.20")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "11.5.20", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "12.0", test_version_up: "12.1.2")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "12.1.2", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);