CVE-2022-23502
MEDIUMTYPO3 10.0.0-10.4.32 - Insufficient Session Expiration in Password Recovery
Title source: llmDescription
TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr
Scores
CVSS v3
5.4
EPSS
0.0015
EPSS Percentile
35.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-613
Status
published
Products (3)
typo3/cms
10.0.0 - 10.4.33Packagist
typo3/cms-core
10.0.0 - 10.4.33Packagist
typo3/typo3
10.0.0 - 10.4.33
Published
Dec 14, 2022
Tracked Since
Feb 18, 2026