TYPO3 Security Misconfiguration in Install Tool Cookie

2024-05-3015:11:42

Google

osv.dev

typo3

security

misconfiguration

install tool

http

session hijacking

cross-site scripting

6.6 Medium

AI Score

Confidence

High

JSON

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

CPENameOperatorVersion
typo3/cms-coreeq8.7.9
typo3/cms-coreeq8.7.10
typo3/cms-coreeq8.7.20
typo3/cms-coreeq9.1.0
typo3/cms-coreeq8.7.13
typo3/cms-coreeq9.4.0
typo3/cms-coreeq9.3.3
typo3/cms-coreeq8.7.14
typo3/cms-coreeq8.7.15
typo3/cms-coreeq8.7.16

Name	Operator	Version
typo3/cms-core	eq	8.7.9
typo3/cms-core	eq	8.7.10
typo3/cms-core	eq	8.7.20
typo3/cms-core	eq	9.1.0
typo3/cms-core	eq	8.7.13
typo3/cms-core	eq	9.4.0
typo3/cms-core	eq	9.3.3
typo3/cms-core	eq	8.7.14
typo3/cms-core	eq	8.7.15
typo3/cms-core	eq	8.7.16

Rows per page:

1-10 of 251

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2018-12-11-4.yaml

github.com/TYPO3-CMS/core

typo3.org/security/advisory/typo3-core-sa-2018-009

6.6 Medium

AI Score

Confidence

High

JSON