Skip to main content

Insufficient Session Expiration


Severity High
Score 9.8/10


An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension through 2.0.4, and 3.0.0 through 3.0.2, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.

  • LOW
  • HIGH
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Advisory Timeline

  • Published