CVE-2009-0256: Authentication library in TYPO3 vulnerable to session fixation
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.74821%
CWE
Published
5/2/2022
Updated
1/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
typo3/cms | composer | >= 4.0.0, <= 4.0.9 | 4.0.10 |
typo3/cms | composer | >= 4.1.0, <= 4.1.7 | 4.1.8 |
typo3/cms | composer | >= 4.2.0, <= 4.2.3 | 4.2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from TYPO3's failure to regenerate session IDs during authentication (CWE-384). Session fixation occurs when the system accepts an attacker-provided session ID without invalidation. The core authentication classes (AbstractUserAuthentication and its Frontend/Backend implementations) are responsible for session management. The start() method initializes sessions, while handleLogin() processes authentication. In vulnerable versions, these functions did not include session_regenerate_id() calls or equivalent protections after successful authentication, allowing session identifiers to persist across login events. This matches the CWE-384 pattern and the advisory's description of frontend/backend authentication vectors.