CVE-2022-36106 is a security vulnerability classified under CWE-287 (Improper Authentication) affecting TYPO3, an open-source PHP-based web content management system widely used for building and managing websites. The vulnerability arises from a flaw in the password reset functionality for TYPO3 backend users. Specifically, the system fails to enforce the expiration time of password reset links. Although TYPO3 is designed to invalidate password reset links after a default period of two hours, this expiration check is never actually performed. Consequently, an attacker who obtains a password reset link can reuse it indefinitely to reset the password of a backend user, potentially gaining unauthorized administrative access to the TYPO3 backend. This flaw affects TYPO3 versions from 10.4.0 up to but not including 10.4.32, and from 11.0.0 up to but not including 11.5.16. The issue was publicly disclosed on September 13, 2022, and fixed in versions 10.4.32 and 11.5.16. There are no known workarounds aside from applying the patch. No known exploits have been reported in the wild to date. The vulnerability does not require user interaction beyond the attacker obtaining a valid password reset link, which may be acquired through phishing, interception, or other means. The flaw compromises authentication integrity by allowing reuse of expired reset tokens, potentially leading to unauthorized access and full compromise of the TYPO3 backend environment.

For European organizations using TYPO3 CMS, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their web content management systems. Unauthorized access to the TYPO3 backend can allow attackers to modify website content, inject malicious code, deface websites, or exfiltrate sensitive data stored or managed via the CMS. This can lead to reputational damage, loss of customer trust, regulatory non-compliance (especially under GDPR), and potential financial losses. Organizations in sectors such as government, finance, healthcare, and media, which often rely on TYPO3 for their web presence, are particularly at risk. The persistence of password reset links beyond their intended expiration increases the attack surface, especially if attackers can obtain reset links through social engineering or network interception. Although no active exploitation has been reported, the vulnerability's nature makes it a prime target for attackers seeking to gain backend access without needing to compromise user credentials directly.

The primary and most effective mitigation is to upgrade TYPO3 installations to version 10.4.32 or 11.5.16 or later, where the password reset link expiration is properly enforced. Organizations should prioritize patching all affected TYPO3 instances promptly. In addition, administrators should audit recent password reset requests and consider invalidating all outstanding reset tokens if possible. Implementing multi-factor authentication (MFA) for backend access can reduce the risk of unauthorized access even if a reset link is compromised. Network-level protections such as enforcing HTTPS to prevent interception of reset links and monitoring web server logs for unusual password reset activity can help detect potential exploitation attempts. Organizations should also educate users and administrators about phishing risks related to password reset links. Finally, restricting backend access by IP address or VPN can add an additional layer of defense.