CVE-2022-23502

TYPO3 contains Insufficient Session Expiration after Password Reset

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1.

TYPO3 es un sistema de gestión de contenidos web basado en PHP de código abierto. En versiones anteriores a 10.4.33, 11.5.20 y 12.1.1, cuando los usuarios restablecían su contraseña utilizando la función de recuperación de contraseña correspondiente, las sesiones existentes para esa cuenta de usuario en particular no se revocaban. Esto se aplicó tanto a las sesiones de usuarios frontend como a las sesiones de usuarios backend. Este problema está solucionado en las versiones 10.4.33, 11.5.20, 12.1.1.

*Credits: N/A

CVSS Scores

NISTv3.1 5.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-19 CVE Reserved
2022-12-14 CVE Published
2024-07-06 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-613: Insufficient Session Expiration

CAPEC

References (1)

URL	Tag	Source
https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Typo3 Search vendor "Typo3"		Typo3 Search vendor "Typo3" for product "Typo3"				>= 10.0.0 < 10.4.33 Search vendor "Typo3" for product "Typo3" and version " >= 10.0.0 < 10.4.33"		-		Affected
Typo3 Search vendor "Typo3"		Typo3 Search vendor "Typo3" for product "Typo3"				>= 11.0.0 < 11.5.20 Search vendor "Typo3" for product "Typo3" and version " >= 11.0.0 < 11.5.20"		-		Affected
Typo3 Search vendor "Typo3"		Typo3 Search vendor "Typo3" for product "Typo3"				>= 12.0.0 < 12.1.1 Search vendor "Typo3" for product "Typo3" and version " >= 12.0.0 < 12.1.1"		-		Affected