Search for vulnerabilities
Vulnerability details: VCID-u89a-9jv7-bkhu
Vulnerability ID VCID-u89a-9jv7-bkhu
Aliases CVE-2022-31050
GHSA-wwjw-r3gj-39fq
Summary Insufficient Session Expiration in TYPO3's Admin Tool > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.6) ### Problem Admin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit. ### Solution Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Kien Hoang who reported this issue and to TYPO3 framework merger Ralf Zimmermann and TYPO3 security member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-005](https://typo3.org/security/advisory/typo3-core-sa-2022-005)
Status Published
Exploitability 0.5
Weighted Severity 6.5
Risk 3.2
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-613 Insufficient Session Expiration
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00375 https://api.first.org/data/v1/epss?cve=CVE-2022-31050
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wwjw-r3gj-39fq
cvssv3.1 6.0 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31050.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31050.yaml
cvssv3.1 6.0 https://github.com/TYPO3-CMS/core
generic_textual MODERATE https://github.com/TYPO3-CMS/core
cvssv3.1 6 https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
cvssv3.1 6.0 https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
generic_textual MODERATE https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
ssvc Track https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
cvssv3.1 6 https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
cvssv3.1 6.0 https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
cvssv3.1_qr MODERATE https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
generic_textual MODERATE https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
ssvc Track https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-31050
cvssv3.1 6.0 https://nvd.nist.gov/vuln/detail/CVE-2022-31050
cvssv3.1 7.2 https://nvd.nist.gov/vuln/detail/CVE-2022-31050
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-31050
cvssv3.1 6 https://typo3.org/security/advisory/typo3-core-sa-2022-005
cvssv3.1 6.0 https://typo3.org/security/advisory/typo3-core-sa-2022-005
generic_textual MODERATE https://typo3.org/security/advisory/typo3-core-sa-2022-005
ssvc Track https://typo3.org/security/advisory/typo3-core-sa-2022-005
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-31050
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31050.yaml
https://github.com/TYPO3-CMS/core
https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
https://nvd.nist.gov/vuln/detail/CVE-2022-31050
https://typo3.org/security/advisory/typo3-core-sa-2022-005
cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
cpe:2.3:a:typo3:typo3:*:*:*:*:elts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:*:*:*:*:elts:*:*:*
GHSA-wwjw-r3gj-39fq https://github.com/advisories/GHSA-wwjw-r3gj-39fq
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31050.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://github.com/TYPO3-CMS/core
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:13Z/ Found at https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:13Z/ Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-31050
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-31050
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-31050
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://typo3.org/security/advisory/typo3-core-sa-2022-005
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L Found at https://typo3.org/security/advisory/typo3-core-sa-2022-005
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:13Z/ Found at https://typo3.org/security/advisory/typo3-core-sa-2022-005
Exploit Prediction Scoring System (EPSS)
Percentile 0.58281
EPSS Score 0.00375
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:25:35.605017+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-wwjw-r3gj-39fq/GHSA-wwjw-r3gj-39fq.json 36.1.3