CVE-2022-23502

Published: Dec 14, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1.

Affected (3)

Products: Typo3: Typo3

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Typo3 Typo3	From 10.0.0 to 10.4.33
Typo3 Typo3	From 11.0.0 to 11.5.20
Typo3 Typo3	From 12.0.0 to 12.1.1

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr

Source: security-advisories@github.com

Third Party Advisory

https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.