CVE-2022-23502

TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
GitHub_MCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
typo3typo3
10.0.0 ≤
𝑥
< 10.4.33
typo3typo3
11.0.0 ≤
𝑥
< 11.5.20
typo3typo3
12.0.0 ≤
𝑥
< 12.1.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
typo3-src
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr
https://github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr