CVE-2023-47127 MEDIUM

CVE-2023-47127: Weak Authentication in Session Handling in typo3/cms-core

Vendor Typo3

Product typo3

Weakness CWE-302

Published November 14, 2023

Last update August 29, 2024

View on NVD All CVEs

CVSS base score

4.2/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

November 14, 2023 CVE published

August 29, 2024 Record updated

Identifiers

CVE CVE-2023-47127

CWE CWE-302

CVSS 4.2 / MEDIUM

Affected versions

Vendor Typo3

Product typo3

Affected >= 8.0.0, < 8.7.55

Vendor Typo3

Product typo3

Affected >= 9.0.0, < 9.5.44

Vendor Typo3

Product typo3

Affected >= 10.0.0, < 10.4.41

Vendor Typo3

Product typo3

Affected >= 11.0.0, < 11.5.33

Vendor Typo3

Product typo3

Affected >= 12.0.0, < 12.4.8