Insufficient Session Expiration
CVE-2022-47406
Summary
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension through 2.0.4, and 3.0.0 through 3.0.2, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-613 - Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Advisory Timeline
- Published
