Improper access control in TYPO3 - CVE-2022-31050

 

Improper access control in TYPO3 - CVE-2022-31050

Published: June 14, 2022


Vulnerability identifier: #VU64271
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-31050
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: TYPO3
Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to Admin Tool sessions initiated via the TYPO3 backend user interface are not removed even if the corresponding user account was degraded to lower permissions or disabled completely. A remote user can prolong the admin tool session without any limit.


How to mitigate CVE-2022-31050

Install updates from vendor's website.

Sources