Medium severity5.4NVD Advisory· Published Sep 13, 2022· Updated Jun 17, 2026
CVE-2022-36106
CVE-2022-36106
Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a password reset even if the default expiry time of two hours has been exceeded. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 10.4.0, < 10.4.32 | 10.4.32 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
typo3/cmsPackagist | >= 10.4.0, < 10.4.32 | 10.4.32 |
typo3/cmsPackagist | >= 11.0.0, < 11.5.16 | 11.5.16 |
Affected products
4- osv-coords3 versions
>= 10.0.0, < 10.4.31+ 2 more
- (no CPE)range: >= 10.0.0, < 10.4.31
- (no CPE)range: >= 10.4.0, < 10.4.32
- (no CPE)range: >= 10.4.0, < 10.4.32
Patches
Vulnerability mechanics
References
8- github.com/TYPO3/typo3/commit/56af2bd3a432156c30af9be71c9d6f7ef3a6159anvdPatchThird Party AdvisoryWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-5959-4x58-r8c2nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-5959-4x58-r8c2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36106ghsaADVISORY
- typo3.org/security/advisory/typo3-core-sa-2022-008nvdVendor AdvisoryWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36106.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36106.yamlghsaWEB
- github.com/TYPO3/typo3/commit/00b52a443b21baaaab35f8606dbb0ce427261bb5ghsaWEB
News mentions
0No linked articles in our index yet.