typo3/cms is vulnerable to Session Hijacking. The vulnerability is due to cookies not being hardened to be submitted only via HTTP, which in combination with other vulnerabilities like cross-site scripting can lead to hijacking an active and valid session.