CVE-2022-23502 is a vulnerability affecting TYPO3, an open-source PHP-based web content management system widely used for building and managing websites. The issue pertains to insufficient session expiration (CWE-613) during the password recovery process. Specifically, in TYPO3 versions prior to 10.4.33, 11.5.20, and 12.1.1, when a user resets their password using the password recovery functionality, existing active sessions for that user are not revoked. This applies to both frontend user sessions (typically website visitors or customers) and backend user sessions (administrators or content managers). As a result, any session tokens or cookies that were valid before the password reset remain active and can continue to be used to access the account without re-authentication. This flaw undermines the security expectation that password resets should invalidate all prior authentication tokens to prevent unauthorized access, especially if the password reset was triggered due to a suspected compromise. The vulnerability has been patched in TYPO3 versions 10.4.33, 11.5.20, and 12.1.1. No known exploits in the wild have been reported to date. The vulnerability was published on December 14, 2022, and is categorized as medium severity by the vendor. The root cause is insufficient session management controls that fail to revoke or expire existing sessions upon password changes, violating secure session handling best practices.

For European organizations using TYPO3, this vulnerability can lead to unauthorized persistent access to user accounts even after a password reset. Attackers who have obtained session tokens prior to a password reset can maintain access without needing the new password, potentially leading to data breaches, unauthorized content changes, or administrative control compromise. This is particularly critical for organizations managing sensitive or regulated data, such as government portals, healthcare providers, financial institutions, and e-commerce platforms. The impact affects confidentiality (unauthorized data access), integrity (unauthorized content or configuration changes), and availability (potential misuse or disruption). Since both frontend and backend sessions are affected, attackers could gain administrative privileges if backend sessions are compromised. Although no exploits are currently known, the ease of exploitation is moderate since an attacker must have access to an active session token. The scope is limited to TYPO3 installations running vulnerable versions, but TYPO3 has significant adoption in Europe, especially in Germany and other central European countries. The vulnerability could also facilitate lateral movement within compromised networks. Overall, the risk is medium but can escalate if combined with other vulnerabilities or social engineering attacks.

1. Immediate upgrade of TYPO3 installations to patched versions 10.4.33, 11.5.20, or 12.1.1 is the most effective mitigation. 2. Implement additional session management controls such as server-side session invalidation upon password reset, even if using older TYPO3 versions temporarily. 3. Enforce short session lifetimes and require re-authentication for sensitive operations. 4. Monitor active sessions and provide users and administrators with the ability to view and revoke active sessions manually. 5. Use multi-factor authentication (MFA) to reduce risk from compromised sessions. 6. Conduct regular audits of user sessions and password reset logs to detect suspicious activity. 7. Educate users and administrators about the importance of logging out from all devices after password changes. 8. Employ web application firewalls (WAF) to detect anomalous session usage patterns. 9. For organizations unable to upgrade immediately, consider network-level controls to restrict session token reuse or IP address anomalies. These mitigations go beyond generic advice by focusing on session lifecycle management, user awareness, and compensating controls.