CVE-2022-23502 – typo3/cms

Package

Manager: composer
Name: typo3/cms
Vulnerable Version: >=10.0.0 <10.4.33 || >=11.0.0 <11.5.20 || >=12.0.0 <12.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00066 pctl0.20728

Details

TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset ### Problem When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. ### Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014)

Metadata

Created: 2022-12-13T17:06:07Z
Modified: 2022-12-13T17:06:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-mgj2-q8wp-29rr/GHSA-mgj2-q8wp-29rr.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-mgj2-q8wp-29rr
Finding: F280
Auto approve: 1