CVE-2022-23502

Description

### Problem When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. ### Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014)

How to fix CVE-2022-23502

To remediate CVE-2022-23502, upgrade the affected package to a fixed version below.

• —upgrade to 10.4.33 or later
• —upgrade to 10.4.33 or later
• —upgrade to 10.4.33 or later

Is CVE-2022-23502 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 10.0.0, < 10.4.33, >= 11.0.0, < 11.5.20, >= 12.0.0, < 12.1.1
• >= 10.0.0, < 10.4.33
• >= 10.0.0, < 10.4.33

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23502
• PATCHgithub.com/TYPO3/typo3
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yaml