// For flags

CVE-2022-23502

TYPO3 contains Insufficient Session Expiration after Password Reset

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1.

TYPO3 es un sistema de gestión de contenidos web basado en PHP de código abierto. En versiones anteriores a 10.4.33, 11.5.20 y 12.1.1, cuando los usuarios restablecían su contraseña utilizando la función de recuperación de contraseña correspondiente, las sesiones existentes para esa cuenta de usuario en particular no se revocaban. Esto se aplicó tanto a las sesiones de usuarios frontend como a las sesiones de usuarios backend. Este problema está solucionado en las versiones 10.4.33, 11.5.20, 12.1.1.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-19 CVE Reserved
  • 2022-12-14 CVE Published
  • 2024-07-06 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-613: Insufficient Session Expiration
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Typo3
Search vendor "Typo3"
Typo3
Search vendor "Typo3" for product "Typo3"
>= 10.0.0 < 10.4.33
Search vendor "Typo3" for product "Typo3" and version " >= 10.0.0 < 10.4.33"
-
Affected
Typo3
Search vendor "Typo3"
Typo3
Search vendor "Typo3" for product "Typo3"
>= 11.0.0 < 11.5.20
Search vendor "Typo3" for product "Typo3" and version " >= 11.0.0 < 11.5.20"
-
Affected
Typo3
Search vendor "Typo3"
Typo3
Search vendor "Typo3" for product "Typo3"
>= 12.0.0 < 12.1.1
Search vendor "Typo3" for product "Typo3" and version " >= 12.0.0 < 12.1.1"
-
Affected