Main Vulnerability Database Vulnerabilities #VU18904

Authorization bypass through user-controlled key in TYPO3 - #VU18904

Published: June 25, 2019

Vulnerability identifier: #VU18904

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID:

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: TYPO3

Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a local user to gain access to another user's session.

The vulnerability exists due to the application does not delete the session identifier after user logs out and stores it in cookies. An attacker with access to victim's browser can obtain session identifier and gain access to victim's account.

Remediation

Install updates from vendor's website.

Sources

https://typo3.org/security/advisory/typo3-core-sa-2019-018/

Authorization bypass through user-controlled key in TYPO3 - #VU18904

Detailed vulnerability description

Remediation

Sources

Please verify you're human