- Component Type: TYPO3 CMS
- Vulnerable subcomponent: User Session Handling (ext:core)
- Release Date: May 7, 2019
- Vulnerability Type: Security Misconfiguration
- Affected Versions: 8.0.0-8.7.24 and 9.0.0-9.5.5
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
- CVE: not assigned yet
When users change their password existing sessions for that particular user account are not revoked. A valid backend or frontend user account is required in order to make use of this vulnerability.
Update to TYPO3 versions 8.7.25 or 9.5.6 that fix the problem described.
Maintainers of TYPO3 extensions are advised to revoke sessions on password change
When 3rd party extensions handle the process of changing account passwords individually it is advised to invalidate all sessions for that particular user account like shown in the following example.
$sessionManager = GeneralUtility::makeInstance(SessionManager::class);
$sessionBackend = $sessionManager->getSessionBackend('FE');
$sessionManager->invalidateAllSessionsByUserId($sessionBackend, (int)$id, $GLOBALS['TSFE']->fe_user);
Find more details at https://docs.typo3.org/typo3cms/extensions/core/latest/Changelog/8.7.x/Important-87298-DestroySessionsOnPasswordChange.html
Thanks to Maxime Wehrlin (Capgemini France) who reported this issue and to TYPO3 core merger Frank Nägler who fixed the issue.
All security related code changes are tagged so that you can easily look them up in our review system.