Moderate severityNVD Advisory· Published Dec 14, 2022· Updated Apr 21, 2025

TYPO3 contains Insufficient Session Expiration after Password Reset

CVE-2022-23502

Description

TYPO3 is an open source PHP based web content management system. In versions prior to 10.4.33, 11.5.20, and 12.1.1, When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. This issue is patched in versions 10.4.33, 11.5.20, 12.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 CMS failed to revoke user sessions after a password reset, allowing continued access by old sessions.

CVE-2022-23502 describes a vulnerability in the TYPO3 content management system where the password recovery functionality does not invalidate existing user sessions. When a user successfully resets their password, any previously authenticated sessions for that account, both in the frontend and backend, remain valid. The root cause is a missing call to invalidate sessions after the password change, as shown in the patch [3].

An attacker who gains access to a user's active session token (e.g., via session hijacking or if the token is shared) could use that session even after the legitimate user has changed their password. The attack requires no special network position beyond having the session identifier; the session remains active until it expires or is manually terminated. The vulnerability affects all TYPO3 versions prior to 10.4.33, 11.5.20, and 12.1.1 [1].

The impact is that a successful attacker can maintain unauthorized access to the affected user's account, potentially reading or modifying content, escalating privileges, or performing actions as that user. Since both frontend and backend sessions are affected, the scope includes any user with an active session at the time of the password reset. This increases the risk of account takeover despite the password change [1][4].

The issue is patched in TYPO3 versions 10.4.33, 11.5.20, and 12.1.1. The fix adds a method to invalidate all backend and frontend sessions for the user after a password reset [3]. Administrators should upgrade to a patched version promptly. No workaround is documented.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-corePackagist	>= 10.0.0, < 10.4.33	10.4.33
typo3/cms-corePackagist	>= 11.0.0, < 11.5.20	11.5.20
typo3/cms-corePackagist	>= 12.0.0, < 12.1.1	12.1.1
typo3/cmsPackagist	>= 10.0.0, < 10.4.33	10.4.33
typo3/cmsPackagist	>= 11.0.0, < 11.5.20	11.5.20
typo3/cmsPackagist	>= 12.0.0, < 12.1.1	12.1.1

Affected products

osv-coords3 versions
pkg:bitnami/typo3 pkg:composer/typo3/cms pkg:composer/typo3/cms-core
>= 10.0.0, < 10.4.33+ 2 more
- (no CPE)range: >= 10.0.0, < 10.4.33
- (no CPE)range: >= 10.0.0, < 10.4.33
- (no CPE)range: >= 10.0.0, < 10.4.33
TYPO3/Typo3v5
Range: >= 10.0.0, < 10.4.33

Patches

d9ffbf24fcc6

[SECURITY] Destroy user sessions on password change

https://github.com/TYPO3/typo3Torben HansenDec 13, 2022via ghsa

commit

2 files changed · +26 −0

typo3/sysext/backend/Classes/Authentication/PasswordReset.php+13 −0 modified

@@ -42,6 +42,7 @@
 use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyAction;
 use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyValidator;
 use TYPO3\CMS\Core\PasswordPolicy\Validator\Dto\ContextData;
+use TYPO3\CMS\Core\Session\SessionManager;
 use TYPO3\CMS\Core\SysLog\Action\Login as SystemLogLoginAction;
 use TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;
 use TYPO3\CMS\Core\SysLog\Type as SystemLogType;
@@ -340,6 +341,8 @@ public function resetPassword(ServerRequestInterface $request, Context $context)
             ->getConnectionForTable('be_users')
             ->update('be_users', ['password_reset_token' => '', 'password' => $this->getHasher()->getHashedPassword($newPassword)], ['uid' => $userId]);
 
+        $this->invalidateUserSessions($userId);
+
         $this->logger->info('Password reset successful for user {user_id)', ['user_id' => $userId]);
         $this->log(
             'Password reset successful for user %s',
@@ -493,4 +496,14 @@ protected function isValidPassword(string $password, array $user): bool
         $contextData = new ContextData(currentPasswordHash: $user['password']);
         return $passwordPolicyValidator->isValidPassword($password, $contextData);
     }
+
+    /**
+     * Invalidate all backend user sessions by given user id
+     */
+    protected function invalidateUserSessions(int $userId): void
+    {
+        $sessionManager = GeneralUtility::makeInstance(SessionManager::class);
+        $sessionBackend = $sessionManager->getSessionBackend('BE');
+        $sessionManager->invalidateAllSessionsByUserId($sessionBackend, $userId);
+    }
 }

typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php+13 −0 modified

@@ -22,6 +22,7 @@
 use TYPO3\CMS\Core\Context\Exception\AspectNotFoundException;
 use TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
 use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
+use TYPO3\CMS\Core\Session\SessionManager;
 use TYPO3\CMS\Core\Type\ContextualFeedbackSeverity;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Extbase\Error\Error;
@@ -206,7 +207,9 @@ public function changePasswordAction(string $newPass, string $hash): ResponseInt
             return $hashedPassword;
         }
 
+        $user = $this->userRepository->findOneByForgotPasswordHash(GeneralUtility::hmac($hash));
         $this->userRepository->updatePasswordAndInvalidateHash(GeneralUtility::hmac($hash), $hashedPassword);
+        $this->invalidateUserSessions($user['uid']);
 
         $this->addFlashMessage($this->getTranslation('change_password_done_message'));
 
@@ -315,4 +318,14 @@ protected function exposeNoneExistentUser(?array $user): bool
             true
         );
     }
+
+    /**
+     * Invalidate all frontend user sessions by given user id
+     */
+    protected function invalidateUserSessions(int $userId): void
+    {
+        $sessionManager = GeneralUtility::makeInstance(SessionManager::class);
+        $sessionBackend = $sessionManager->getSessionBackend('FE');
+        $sessionManager->invalidateAllSessionsByUserId($sessionBackend, $userId);
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mgj2-q8wp-29rrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-23502ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yamlghsaWEB
github.com/TYPO3/typo3/commit/d9ffbf24fcc62068033ebb3912538347bd380a6cghsaWEB
github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rrghsax_refsource_CONFIRMWEB
typo3.org/security/advisory/typo3-core-sa-2022-014ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000