GHSA-f777-f784-36gm – typo3/cms

Package

Manager: composer
Name: typo3/cms
Vulnerable Version: >=7.0.0 <7.6.32 || >=8.0.0 <8.7.21 || >=9.0.0 <9.5.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

TYPO3 Security Misconfiguration in Install Tool Cookie It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

Metadata

Created: 2024-06-07T19:52:43Z
Modified: 2024-06-07T19:52:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-f777-f784-36gm/GHSA-f777-f784-36gm.json
CWE IDs: ["CWE-1004"]
Alternative ID: N/A
Finding: F042
Auto approve: 1