Miggo Logo
Miggo Vulnerability Database
CVE-2014-3944

CVE-2014-3944: TYPO3 Improper Session Invalidation

5.8

CVSS Score

Basic Information

CVE ID
CVE-2014-3944
GHSA ID
GHSA-9j8h-xrgj-7gw2
EPSS Score
0.40953%
CWE
CWE-287
Published
5/17/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cmscomposer>= 6.2.0, < 6.2.36.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper session timeout handling in TYPO3's authentication component. Key session management methods in AbstractUserAuthentication (the core authentication class) are the most probable candidates. The 'gc' method handles session cleanup, and a flawed implementation would leave expired sessions active. 'fetchUserSession' might have failed to validate() session expiration during authentication checks. While exact pre-patch code isn't available, TYPO3's architecture and CWE-287 context strongly implicate these methods. Confidence is medium due to lack of direct code references but aligns with described vulnerability mechanics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ut**nti**tion *ompon*nt in TYPO* *.*.* ***or* *.*.* *o*s not prop*rly inv*li**t* tim** out us*r s*ssions, w*i** *llows r*mot* *tt**k*rs to *yp*ss *ut**nti**tion vi* unsp**i*i** v**tors.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*ssion tim*out **n*lin* in TYPO*'s *ut**nti**tion *ompon*nt. K*y s*ssion m*n***m*nt m*t*o*s in `**str**tUs*r*ut**nti**tion` (t** *or* *ut**nti**tion *l*ss) *r* t** most pro***l* **n*i**t*s. T** '**' m*t*o* **n*l