GHSA-f777-f784-36gm: TYPO3 Security Misconfiguration in Install Tool Cookie
It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-12-11-4.yaml
- github.com/TYPO3/typo3
- github.com/TYPO3/typo3/commit/13328b0f74ac589a20b021db814dfa672581c26a
- github.com/TYPO3/typo3/commit/918e50e4d20d88c7e40ad3bb134267d07706b0b1
- github.com/TYPO3/typo3/commit/a5359491e3fb3164a6ba96a66c8e67fbb9971a4c
- github.com/advisories/GHSA-f777-f784-36gm
- typo3.org/security/advisory/typo3-core-sa-2018-009
Code Behaviors & Features
Detect and mitigate GHSA-f777-f784-36gm with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →