- Component Type: TYPO3 CMS
- Subcomponent: Password Reset (ext:felogin, ext:backend)
- Release Date: December 13, 2022
- Vulnerability Type: Insufficient Session Expiration
- Affected Versions: 10.0.0-10.4.32, 11.0.0-11.5.19, 12.0.0-12.1.0
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
- References: CVE-2022-23502, CWE-613
When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions.
Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.
Thanks to TYPO3 security team member Torben Hansen who reported and fixed the issue.
All security related code changes are tagged so that you can easily look them up in our review system.