GHSA-ppvg-hw62-6ph9

Source

https://github.com/advisories/GHSA-ppvg-hw62-6ph9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-ppvg-hw62-6ph9/GHSA-ppvg-hw62-6ph9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-ppvg-hw62-6ph9

Published

2024-05-30T15:11:42Z

Modified

2024-12-05T06:03:45.353170Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

TYPO3 Security Misconfiguration in Install Tool Cookie

Details

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2024-05-30T15:11:42Z",
    "cwe_ids": [
        "CWE-1004"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.7.21

Affected versions

v8.*

v8.7.7

v8.7.8

v8.7.9

v8.7.10

v8.7.11

v8.7.12

v8.7.13

v8.7.14

v8.7.15

v8.7.16

v8.7.17

v8.7.18

v8.7.19

v8.7.20

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.5.2

Affected versions

v9.*

v9.0.0

v9.1.0

v9.2.0

v9.2.1

v9.3.0

v9.3.1

v9.3.2

v9.3.3

v9.4.0

v9.5.0

v9.5.1

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.6.32