Skip to content

Insufficient Session Expiration after Password Reset

Moderate
ohader published GHSA-mgj2-q8wp-29rr Dec 13, 2022

Package

composer typo3/cms-core (Composer)

Affected versions

10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0

Patched versions

10.4.33, 11.5.20, 12.1.1

Description

CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C (5.0)

Problem

When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions.

Solution

Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

Credits

Thanks to TYPO3 security team member Torben Hansen who reported and fixed the issue.

References

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVE ID

CVE-2022-23502

Weaknesses

Credits