Vulnerability identifier: #VU18904
Vulnerability risk: Low
CVSSv3.1: 3.3 [CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID: N/A
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
TYPO3
Web applications /
CMS
Vendor: TYPO3
Description
The vulnerability allows a local user to gain access to another user's session.
The vulnerability exists due to the application does not delete the session identifier after user logs out and stores it in cookies. An attacker with access to victim's browser can obtain session identifier and gain access to victim's account.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
TYPO3: 9.5.0 - 9.5.7, 9.0.0 - 9.4.0, 8.5.0 - 8.7.26
External links
http://typo3.org/security/advisory/typo3-core-sa-2019-018/
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.