Insufficient Session Expiration

CVE-2022-23502

Medium

5.4/10

Summary

TYPO3 is an open source PHP based web content management system. When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. Typo3/cms, typo3/cms-core and typo3/cms-felogin versions 10.2.x prior to 10.4.33, 11.x prior to 11.5.20 and 12.x prior to 12.1.1 and typo3/cms-backend 10.4.x prior to 10.4.33, 11.x prior to 11.5.20 and 12.x prior to 12.1.1 are affected by this vulnerability.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

Advisory Timeline

Published Dec 14, 2022

Insufficient Session Expiration

CVE-2022-23502

Summary

CWE-613 - Insufficient Session Expiration

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS