Miggo Logo
Miggo Vulnerability Database
GHSA-ppvg-hw62-6ph9

GHSA-ppvg-hw62-6ph9: TYPO3 Security Misconfiguration in Install Tool Cookie

7.5

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-ppvg-hw62-6ph9
EPSS Score
-
CWE
CWE-1004
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 8.0.0, < 8.7.218.7.21
typo3/cms-corecomposer>= 9.0.0, < 9.5.29.5.2
typo3/cms-corecomposer>= 7.0.0, < 7.6.327.6.32

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing HttpOnly flag in Install Tool cookies. Session cookie handling in TYPO3's Install Tool is managed by SessionService. The setSessionCookie method would be responsible for setting cookie parameters. Since the advisory specifically mentions cookie hardening missing in Install Tool, and HttpOnly is a standard cookie security attribute, the absence of this flag in the cookie-setting function constitutes the vulnerability. This matches the CWE-1004 pattern and TYPO3's component structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It **s ***n *is*ov*r** t**t *ooki*s *r**t** in t** Inst*ll Tool *r* not **r**n** to ** su*mitt** only vi* *TTP. In *om*in*tion wit* ot**r vuln*r**iliti*s su** *s *ross-sit* s*riptin* it **n l*** to *ij**kin* *n **tiv* *n* v*li* s*ssion in t** Inst*ll

Reasoning

T** vuln*r**ility st*ms *rom missin* *ttpOnly *l** in Inst*ll Tool *ooki*s. S*ssion *ooki* **n*lin* in TYPO*'s Inst*ll Tool is m*n**** *y `S*ssionS*rvi**`. T** `s*tS*ssion*ooki*` m*t*o* woul* ** r*sponsi*l* *or s*ttin* *ooki* p*r*m*t*rs. Sin** t** **