CVE-2022-23502
MEDIUM5.4EPSS 0.23%TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset
Published: 12/13/2022Modified: 12/6/2023
Description
### Problem When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. ### Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014)
Affected packages (3)
- Bitnami/typo3>= 10.0.0, < 10.4.33, >= 11.0.0, < 11.5.20, >= 12.0.0, < 12.1.1
- Packagist/typo3/cms>= 10.0.0, < 10.4.33
- Packagist/typo3/cms-core>= 10.0.0, < 10.4.33
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23502
- PATCHhttps://github.com/TYPO3/typo3
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yaml
- WEBhttps://github.com/TYPO3/typo3/commit/d9ffbf24fcc62068033ebb3912538347bd380a6c
- WEBhttps://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr
- WEBhttps://typo3.org/security/advisory/typo3-core-sa-2022-014