CVE-2022-31050: Insufficient Session Expiration in TYPO3's Admin Tool
6
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5836%
CWE
Published
6/17/2022
Updated
1/27/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
typo3/cms-core | composer | >= 9.0.0, < 9.5.35 | 9.5.35 |
typo3/cms-core | composer | >= 10.0.0, < 10.4.29 | 10.4.29 |
typo3/cms-core | composer | >= 11.0.0, < 11.5.11 | 11.5.11 |
typo3/cms | composer | >= 10.0.0, < 10.4.29 | 10.4.29 |
typo3/cms | composer | >= 11.0.0, < 11.5.11 | 11.5.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from two key flaws: 1) SessionService::setAuthorizedBackendSession
in vulnerable versions didn't persist critical backend user session metadata (user ID, session ID HMAC), making it impossible to later verify if the original backend session was still valid. 2) The Maintenance
middleware didn't perform ongoing validation of backend user privileges/session status during requests. The fix added these validations by storing session references and implementing privilege checks in the middleware, confirming these were the missing security controls.