CVE-2022-47406 is a security vulnerability identified in the fe_change_pwd extension for TYPO3, a widely used open-source content management system (CMS). This extension is responsible for allowing frontend users to change their passwords. The vulnerability exists in versions prior to 2.0.5 and 3.x prior to 3.0.3. The core issue is that when a user changes their password, the extension fails to revoke any existing active sessions associated with that user. This means that any sessions authenticated prior to the password change remain valid and active, allowing continued access without re-authentication. The vulnerability is classified under CWE-613, which relates to insufficient session expiration or invalidation. This flaw can lead to session fixation or session hijacking scenarios where an attacker or unauthorized party who has access to a valid session token can maintain access even after the legitimate user has changed their password. Although there are no known exploits in the wild at the time of publication, the risk remains significant because session invalidation is a fundamental security control to prevent unauthorized access after credential changes. The lack of session revocation undermines the integrity and confidentiality of user accounts and potentially the broader TYPO3 environment if privileged accounts are affected. TYPO3 is commonly used by organizations for website management, including government, educational institutions, and enterprises, making this vulnerability relevant to a broad set of users. The absence of a patch link suggests that users should upgrade to the fixed versions (2.0.5 or 3.0.3 and later) as soon as possible to mitigate the risk.

For European organizations using TYPO3 with the fe_change_pwd extension, this vulnerability poses a risk of unauthorized persistent access. Attackers who have obtained session tokens—whether through network interception, XSS attacks, or insider threats—can continue to access user accounts even after password changes, bypassing a critical security control. This can lead to data breaches, unauthorized modifications, and potential lateral movement within the organization's web infrastructure. The impact is particularly concerning for organizations handling sensitive personal data (e.g., GDPR-regulated entities), government websites, and critical infrastructure operators relying on TYPO3 for public-facing portals. The failure to revoke sessions compromises confidentiality and integrity, and may also affect availability if attackers perform malicious actions. Although exploitation requires prior access to a valid session, the vulnerability increases the window of opportunity for attackers to maintain access undetected. Given TYPO3's popularity in Europe, especially in Germany, the Netherlands, and other countries with strong open-source adoption, the threat is relevant to a significant number of organizations.

1. Immediate upgrade to fe_change_pwd extension versions 2.0.5 or 3.0.3 and later, where the session revocation issue is fixed. 2. Implement additional server-side session management controls to forcibly expire all active sessions upon password changes, independent of the extension's behavior. This can be done by customizing TYPO3 session handling or using third-party session management modules. 3. Enforce multi-factor authentication (MFA) for frontend user accounts to reduce the risk of session hijacking. 4. Monitor active sessions and implement alerts for unusual session activity or multiple concurrent sessions from different IP addresses for the same user. 5. Conduct regular security audits and penetration testing focusing on session management and authentication flows. 6. Educate users and administrators about the importance of logging out from all devices after password changes until patches are applied. 7. Review and restrict session token lifetimes to minimize the window of exposure. 8. Apply web application firewall (WAF) rules to detect and block suspicious session-related activities.