CVE-2022-47406 – typo3/cms

Package

Manager: composer
Name: typo3/cms
Vulnerable Version: >=0 <2.0.5 || >=3.0.0 <3.0.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00173 pctl0.39095

Details

TYPO3 vulnerable to Insufficient Session Expiration An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.

Metadata

Created: 2022-12-14T21:30:16Z
Modified: 2022-12-19T21:10:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-53mm-hx32-6475/GHSA-53mm-hx32-6475.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-53mm-hx32-6475
Finding: F068
Auto approve: 1