Critical severityNVD Advisory· Published Dec 14, 2022· Updated Apr 21, 2025

CVE-2022-47406

Description

An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The fe_change_pwd TYPO3 extension fails to invalidate existing user sessions after a password change, allowing continued access with old credentials.

The fe_change_pwd extension for TYPO3, which allows frontend users to change their passwords, contains a vulnerability in versions before 2.0.5 and 3.x before 3.0.3. The extension does not revoke existing sessions for the user after a password change [1][4]. This means that an attacker who gains access to a valid session token can continue to use it even after the legitimate user changes their password.

Exploitation requires the attacker to have obtained a valid session identifier before the password change, such as through session hijacking or theft. No additional authentication is needed beyond the existing session. The attack vector is network-based, and the attacker does not need any special privileges beyond the user's session [4].

The impact is that an attacker can maintain unauthorized access to the user's account even after the password is changed. This could lead to disclosure of sensitive information (confidentiality) or unauthorized modification of data (integrity), as the attacker retains the same privileges as the legitimate user [4]. The CVSS v3.1 score is 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N [4].

The vulnerability has been patched in versions 2.0.5 and 3.0.3 of the extension. Users are advised to update as soon as possible [4]. The TYPO3 security advisory credits Torben Hansen for reporting and fixing the issue [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cmsPackagist	< 2.0.5	2.0.5
typo3/cmsPackagist	>= 3.0.0, < 3.0.3	3.0.3
derhansen/fe_change_pwdPackagist	>= 3.0.0, < 3.0.3	3.0.3
derhansen/fe_change_pwdPackagist	< 2.0.5	2.0.5

Affected products

TYPO3/Change password for frontend usersdescription
ghsa-coords2 versions
pkg:composer/derhansen/fe_change_pwd pkg:composer/typo3/cms
>= 3.0.0, < 3.0.3+ 1 more
- (no CPE)range: >= 3.0.0, < 3.0.3
- (no CPE)range: < 2.0.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-53mm-hx32-6475ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-47406ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/derhansen/fe_change_pwd/CVE-2022-47406.yamlghsaWEB
typo3.org/security/advisory/typo3-ext-sa-2022-016ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000