- Component Type: TYPO3 CMS
- Vulnerable subcomponent: User Session Handling (ext:core)
- Release Date: May 7, 2019
- Vulnerability Type: Security Misconfiguration
- Affected Versions: 8.0.0-8.7.24 and 9.0.0-9.5.5
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
- CVE: not assigned yet
Problem Description
When users change their password existing sessions for that particular user account are not revoked. A valid backend or frontend user account is required in order to make use of this vulnerability.
Solution
Update to TYPO3 versions 8.7.25 or 9.5.6 that fix the problem described.
Maintainers of TYPO3 extensions are advised to revoke sessions on password change
When 3rd party extensions handle the process of changing account passwords individually it is advised to invalidate all sessions for that particular user account like shown in the following example.
$sessionManager = GeneralUtility::makeInstance(SessionManager::class);
$sessionBackend = $sessionManager->getSessionBackend('FE');
$sessionManager->invalidateAllSessionsByUserId($sessionBackend, (int)$id, $GLOBALS['TSFE']->fe_user);
Find more details at https://docs.typo3.org/typo3cms/extensions/core/latest/Changelog/8.7.x/Important-87298-DestroySessionsOnPasswordChange.html
Credits
Thanks to Maxime Wehrlin (Capgemini France) who reported this issue and to TYPO3 core merger Frank Nägler who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.