CVE-2022-47406 — TYPO3 vulnerable to Insufficient Session Expiration

Description

An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.

How to fix CVE-2022-47406

To remediate CVE-2022-47406, upgrade the affected package to a fixed version below.

—upgrade to 3.0.3 or later
—upgrade to 2.0.5 or later

Is CVE-2022-47406 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.0.0, < 3.0.3
from 0, < 2.0.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-47406
PATCHgithub.com/TYPO3/typo3
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/derhansen/fe_change_pwd/CVE-2022-47406.yaml
WEBtypo3.org/security/advisory/typo3-ext-sa-2022-016