CVE-2022-47406
published 2022-12-14CVE-2022-47406: An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension…
PriorityP342critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.44%
35.2th percentile
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| change_password_for_frontend_users_project | change_password_for_frontend_users | < 2.0.5 | 2.0.5 |
| change_password_for_frontend_users_project | change_password_for_frontend_users | >= 3.0.0 < 3.0.3 | 3.0.3 |
| derhansen | fe_change_pwd | >= 0 < 2.0.5 | 2.0.5 |
| derhansen | fe_change_pwd | >= 3.0.0 < 3.0.3 | 3.0.3 |
| typo3 | cms | >= 0 < 2.0.5 | 2.0.5 |
| typo3 | cms | >= 3.0.0 < 3.0.3 | 3.0.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TYPO3 vulnerable to Insufficient Session Expiration
ghsa·2022-12-14
CVE-2022-47406 [CRITICAL] CWE-613 TYPO3 vulnerable to Insufficient Session Expiration
TYPO3 vulnerable to Insufficient Session Expiration
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.
OSV
TYPO3 vulnerable to Insufficient Session Expiration
osv·2022-12-14
CVE-2022-47406 [CRITICAL] TYPO3 vulnerable to Insufficient Session Expiration
TYPO3 vulnerable to Insufficient Session Expiration
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-14
Published