CVE-2022-47406 — Insufficient Session Expiration in Password FOR Frontend Users Project Change Password FOR Frontend Users

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

9.8CRITICALNVD

CNA5.4

EPSS

0.3%

top 50.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Change Password FOR Frontend Users Project Change Password FOR Frontend Users Derhansen FE Change PWD Typo3 CMS

Timeline

PublishedDec 14

Description

An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDchange_password3.0.0 — 3.0.3+1

▶Packagisttypo3/cms3.0.0 — 3.0.3+1

▶Packagistderhansen/fe_change_pwd3.0.0 — 3.0.3+1

Patches

Patch: typo3.org ↗Patch: typo3.org ↗

🔴Vulnerability Details

CVEList

CVE-2022-47406: An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2↗2022-12-14

▶

GHSA

TYPO3 vulnerable to Insufficient Session Expiration↗2022-12-14

▶

OSV

TYPO3 vulnerable to Insufficient Session Expiration↗2022-12-14

▶