CVE-2022-31050 — Insufficient Session Expiration in Typo3

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

7.2HIGHNVD

CNA6.0

EPSS

0.4%

top 36.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 CMS Typo3 Cms-core

Timeline

PublishedJun 14

Latest updateJun 17

Description

TYPO3 is an open source web content management system. Prior to versions 9.5.34 ELTS, 10.4.29, and 11.5.11, Admin Tool sessions initiated via the TYPO3 backend user interface had not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. TYPO3 versions 9.5.34 ELTS, 10.4.29, and 11.5.11 contain a fix for the problem.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶Packagisttypo3/cms10.0.0 — 10.4.29+1

▶NVDtypo3/typo39.0.0 — 9.5.35+2

▶Packagisttypo3/cms-core9.0.0 — 9.5.35+2

▶CVEListV5typo3/typo3>= 10.0.0, < 10.4.29, >= 11.0.0, < 11.5.11, >= 9.0.0, < 9.5.34+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Insufficient Session Expiration in TYPO3's Admin Tool↗2022-06-17

▶

GHSA

Insufficient Session Expiration in TYPO3's Admin Tool↗2022-06-17

▶

CVEList

Insufficient Session Expiration in TYPO3 Admin Tool↗2022-06-14

▶