TYPO3 Security Misconfiguration in Install Tool Cookie

2024-06-0719:52:43

Google

osv.dev

typo3

security

misconfiguration

install tool

http

vulnerabilities

cross-site scripting

session hijacking

6.6 Medium

AI Score

Confidence

High

JSON

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

CPENameOperatorVersion
typo3/cmseq7.6.2
typo3/cmseq8.1.0
typo3/cmseq8.4.0
typo3/cmseq8.7.2
typo3/cmseq7.6.17
typo3/cmseq7.2.0
typo3/cmseq8.1.2
typo3/cmseq9.5.1
typo3/cmseq8.0.1
typo3/cmseq9.2.1

Name	Operator	Version
typo3/cms	eq	7.6.2
typo3/cms	eq	8.1.0
typo3/cms	eq	8.4.0
typo3/cms	eq	8.7.2
typo3/cms	eq	7.6.17
typo3/cms	eq	7.2.0
typo3/cms	eq	8.1.2
typo3/cms	eq	9.5.1
typo3/cms	eq	8.0.1
typo3/cms	eq	9.2.1

Rows per page:

1-10 of 881

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-12-11-4.yaml

github.com/TYPO3/typo3

github.com/TYPO3/typo3/commit/13328b0f74ac589a20b021db814dfa672581c26a

github.com/TYPO3/typo3/commit/918e50e4d20d88c7e40ad3bb134267d07706b0b1

github.com/TYPO3/typo3/commit/a5359491e3fb3164a6ba96a66c8e67fbb9971a4c

typo3.org/security/advisory/typo3-core-sa-2018-009

6.6 Medium

AI Score

Confidence

High

JSON