Lucene search

GoogleOSV:GHSA-MGJ2-Q8WP-29RR

HistoryDec 13, 2022 - 5:06 p.m.

TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset

2022-12-1317:06:07

Google

osv.dev

typo3

cms

session expiration

password reset

security

update

advisory

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Problem

When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions.

Solution

Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

References

TYPO3-CORE-SA-2022-014

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yaml

github.com/TYPO3/typo3

github.com/TYPO3/typo3/commit/d9ffbf24fcc62068033ebb3912538347bd380a6c

github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr

nvd.nist.gov/vuln/detail/CVE-2022-23502

typo3.org/security/advisory/typo3-core-sa-2022-014

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Related for OSV:GHSA-MGJ2-Q8WP-29RR