CVE-2022-47406

An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
mitreCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:U/UI:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
change_password_for_frontend_users_projectchange_password_for_frontend_users
𝑥
< 2.0.5
change_password_for_frontend_users_projectchange_password_for_frontend_users
3.0.0 ≤
𝑥
< 3.0.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://typo3.org/security/advisory/typo3-ext-sa-2022-016
https://typo3.org/security/advisory/typo3-ext-sa-2022-016