logo

Database

Session Fixation In typo3/cms

Description

TYPO3 frontend login vulnerable to Session Fixation It has been discovered that TYPO3 is susceptible to session fixation. If a user authenticates while anonymous session data is present, the session id is not changed. This makes it possible for attackers to generate a valid session id, trick users into using this session id (e.g. by leveraging a different Cross-Site Scripting vulnerability) and then maybe getting access to an authenticated session.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-r9vc-jfmh-6j48

References

1. https://github.com/TYPO3/typo3/commit/4c9aba94a930d56ab374693c9c5cc0458587278a2. https://github.com/TYPO3/typo3/commit/4f6e84bba3c13ea8b2652af1a4c47758aa0705f43. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2015-07-01-2.yaml4. https://typo3.org/security/advisory/typo3-core-sa-2015-0035. https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-003

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.