TYPO3 Security Misconfiguration in Install Tool Cookie · GHSA-ppvg-hw62-6ph9 · GitHub Advisory Database · GitHub

TYPO3 Security Misconfiguration in Install Tool Cookie

High severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

Package

typo3/cms-core (Composer)

Affected versions

>= 8.0.0, < 8.7.21

>= 9.0.0, < 9.5.2

>= 7.0.0, < 7.6.32

Patched versions

8.7.21

9.5.2

7.6.32

Description

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

References

Published to the GitHub Advisory Database May 30, 2024

Reviewed May 30, 2024

Last updated May 30, 2024

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N