Miggo Logo

CVE-2022-31050: Insufficient Session Expiration in TYPO3's Admin Tool

6

CVSS Score
3.1

Basic Information

EPSS Score
0.5836%
Published
6/17/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 9.0.0, < 9.5.359.5.35
typo3/cms-corecomposer>= 10.0.0, < 10.4.2910.4.29
typo3/cms-corecomposer>= 11.0.0, < 11.5.1111.5.11
typo3/cmscomposer>= 10.0.0, < 10.4.2910.4.29
typo3/cmscomposer>= 11.0.0, < 11.5.1111.5.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key flaws: 1) SessionService::setAuthorizedBackendSession in vulnerable versions didn't persist critical backend user session metadata (user ID, session ID HMAC), making it impossible to later verify if the original backend session was still valid. 2) The Maintenance middleware didn't perform ongoing validation of backend user privileges/session status during requests. The fix added these validations by storing session references and implementing privilege checks in the middleware, confirming these were the missing security controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

> ### M*t* > * *VSS: `*VSS:*.*/*V:N/**:L/PR:*/UI:N/S:U/*:*/I:L/*:L/*:*/RL:O/R*:*` (*.*) ### Pro*l*m **min Tool s*ssions initi*t** vi* t** TYPO* ***k*n* us*r int*r**** **v* not ***n r*vok** *v*n i* t** *orr*spon*in* us*r ***ount w*s ***r**** to low*r

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *l*ws: *) `S*ssionS*rvi**::s*t*ut*oriz*****k*n*S*ssion` in vuln*r**l* v*rsions *i*n't p*rsist *riti**l ***k*n* us*r s*ssion m*t***t* (us*r I*, s*ssion I* *M**), m*kin* it impossi*l* to l*t*r v*ri*y i* t** ori*in