It has been discovered that TYPO3 is susceptible to session fixation.
July 1, 2015
Vulnerable subcomponent: Frontend Logon
Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
not assigned yet
It has been discovered that TYPO3 is susceptible to session fixation. If a user authenticates while anonymous session data is present, the session id is not changed. This makes it possible for attackers to generate a valid session id, trick users into using this session id (e.g. by leveraging a different Cross-Site Scripting vulnerability) and then maybe getting access to an authenticated session.
Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.
Thanks to Helmut Hummel who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce
All security related code changes are tagged so that you can easily look them up on our review system