GHSA-mgj2-q8wp-29rr

Source

https://github.com/advisories/GHSA-mgj2-q8wp-29rr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-mgj2-q8wp-29rr/GHSA-mgj2-q8wp-29rr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mgj2-q8wp-29rr

Aliases

Published

2022-12-13T17:06:07Z

Modified

2023-12-06T01:01:58.835295Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset

Details

Problem

When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions.

Solution

Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

References

TYPO3-CORE-SA-2022-014

Database specific

{
    "nvd_published_at": "2022-12-14T08:15:00Z",
    "github_reviewed_at": "2022-12-13T17:06:07Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-613"
    ]
}

References

Affected packages

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.33

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

v10.4.14

v10.4.15

v10.4.16

v10.4.17

v10.4.18

v10.4.19

v10.4.20

v10.4.21

v10.4.22

v10.4.23

v10.4.24

v10.4.25

v10.4.26

v10.4.27

v10.4.28

v10.4.29

v10.4.30

v10.4.31

v10.4.32

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.5.20

Affected versions

v11.*

v11.0.0

v11.1.0

v11.1.1

v11.2.0

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.4.0

v11.5.0

v11.5.1

v11.5.2

v11.5.3

v11.5.4

v11.5.5

v11.5.6

v11.5.7

v11.5.8

v11.5.9

v11.5.10

v11.5.11

v11.5.12

v11.5.13

v11.5.14

v11.5.15

v11.5.16

v11.5.17

v11.5.18

v11.5.19

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.0.0

Fixed

12.1.1

Affected versions

v12.*

v12.0.0

v12.1.0

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.4.33

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

v10.2.2

v10.3.0

v10.4.0

v10.4.1

v10.4.2

v10.4.3

v10.4.4

v10.4.5

v10.4.6

v10.4.7

v10.4.8

v10.4.9

v10.4.10

v10.4.11

v10.4.12

v10.4.13

v10.4.14

v10.4.15

v10.4.16

v10.4.17

v10.4.18

v10.4.19

v10.4.20

v10.4.21

v10.4.22

v10.4.23

v10.4.24

v10.4.25

v10.4.26

v10.4.27

v10.4.28

v10.4.29

v10.4.30

v10.4.31

v10.4.32

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.5.20

Affected versions

v11.*

v11.0.0

v11.1.0

v11.1.1

v11.2.0

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.4.0

v11.5.0

v11.5.1

v11.5.2

v11.5.3

v11.5.4

v11.5.5

v11.5.6

v11.5.7

v11.5.8

v11.5.9

v11.5.10

v11.5.11

v11.5.12

v11.5.13

v11.5.14

v11.5.15

v11.5.16

v11.5.17

v11.5.18

v11.5.19

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.0.0

Fixed

12.1.1

Affected versions

v12.*

v12.0.0

v12.1.0