{"id":"CVE-2023-47127","summary":"Weak Authentication in Session Handling in typo3/cms-core","details":"TYPO3 is an open source PHP based web content management system released under the GNU GPL. In typo3 installations there are always at least two different sites. Eg. first.example.org and second.example.com. In affected versions a session cookie generated for the first site can be reused on the second site without requiring additional authentication. This vulnerability has been addressed in versions 8.7.55, 9.5.44, 10.4.41, 11.5.33, and 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["BIT-typo3-2023-47127","GHSA-3vmm-7h4j-69rm"],"modified":"2026-04-02T09:38:44.682531Z","published":"2023-11-14T19:26:07.849Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-302"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/47xxx/CVE-2023-47127.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/47xxx/CVE-2023-47127.json"},{"type":"ADVISORY","url":"https://github.com/TYPO3/typo3/security/advisories/GHSA-3vmm-7h4j-69rm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47127"},{"type":"ADVISORY","url":"https://typo3.org/security/advisory/typo3-core-sa-2023-006"},{"type":"FIX","url":"https://github.com/TYPO3/typo3/commit/535dfbdc54fd5362e0bc08d911db44eac7f64019"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"6a5e2d4097ef0a0e3ea955af93cf83810d6fa234"},{"fixed":"939ef26e7fcd18ec68af7743014446a45527e502"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"11.5.33"}]}},{"type":"GIT","repo":"https://github.com/typo3/typo3","events":[{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"639f2dbbafa5e6835499e70e111c7f22bc6cb966"}],"database_specific":{"versions":[{"introduced":"12.0.0"},{"fixed":"12.4.8"}]}}],"versions":["v11.0.0","v11.1.0","v11.1.1","v11.2.0","v11.3.0","v11.3.1","v11.3.2","v11.3.3","v11.4.0","v11.5.0","v11.5.1","v11.5.10","v11.5.11","v11.5.12","v11.5.13","v11.5.14","v11.5.15","v11.5.16","v11.5.17","v11.5.18","v11.5.19","v11.5.2","v11.5.20","v11.5.21","v11.5.22","v11.5.23","v11.5.24","v11.5.25","v11.5.26","v11.5.27","v11.5.28","v11.5.29","v11.5.3","v11.5.30","v11.5.31","v11.5.32","v11.5.4","v11.5.5","v11.5.6","v11.5.7","v11.5.8","v11.5.9","v12.0.0","v12.1.0","v12.1.1","v12.1.2","v12.1.3","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.10","v12.4.11","v12.4.12","v12.4.13","v12.4.14","v12.4.15","v12.4.16","v12.4.17","v12.4.18","v12.4.19","v12.4.2","v12.4.20","v12.4.21","v12.4.22","v12.4.23","v12.4.24","v12.4.25","v12.4.26","v12.4.27","v12.4.28","v12.4.29","v12.4.3","v12.4.30","v12.4.31","v12.4.32","v12.4.33","v12.4.34","v12.4.35","v12.4.36","v12.4.37","v12.4.38","v12.4.39","v12.4.4","v12.4.40","v12.4.41","v12.4.42","v12.4.43","v12.4.44","v12.4.5","v12.4.6","v12.4.7","v12.4.8","v12.4.9","v13.0.0","v13.0.1","v13.1.0","v13.1.1","v13.2.0","v13.2.1","v13.3.0","v13.3.1","v13.4.0","v13.4.1","v13.4.10","v13.4.11","v13.4.12","v13.4.13","v13.4.14","v13.4.15","v13.4.16","v13.4.17","v13.4.18","v13.4.19","v13.4.2","v13.4.20","v13.4.21","v13.4.22","v13.4.23","v13.4.24","v13.4.25","v13.4.26","v13.4.27","v13.4.3","v13.4.4","v13.4.5","v13.4.6","v13.4.7","v13.4.8","v13.4.9","v14.0.0","v14.0.1","v14.0.2","v14.1.0","v14.1.1","v14.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-47127.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/typo3/typo3.cms","events":[{"introduced":"6a5e2d4097ef0a0e3ea955af93cf83810d6fa234"},{"fixed":"939ef26e7fcd18ec68af7743014446a45527e502"},{"introduced":"36096733dea4bd6f6168209609fa879dc25c0138"},{"fixed":"639f2dbbafa5e6835499e70e111c7f22bc6cb966"}],"database_specific":{"versions":[{"introduced":"11.0.0"},{"fixed":"11.5.33"},{"introduced":"12.0.0"},{"fixed":"12.4.8"}]}}],"versions":["v11.0.0","v11.1.0","v11.1.1","v11.2.0","v11.3.0","v11.3.1","v11.3.2","v11.3.3","v11.4.0","v11.5.0","v11.5.1","v11.5.10","v11.5.11","v11.5.12","v11.5.13","v11.5.14","v11.5.15","v11.5.16","v11.5.17","v11.5.18","v11.5.19","v11.5.2","v11.5.20","v11.5.21","v11.5.22","v11.5.23","v11.5.24","v11.5.25","v11.5.26","v11.5.27","v11.5.28","v11.5.29","v11.5.3","v11.5.30","v11.5.31","v11.5.32","v11.5.4","v11.5.5","v11.5.6","v11.5.7","v11.5.8","v11.5.9","v12.0.0","v12.1.0","v12.1.1","v12.1.2","v12.1.3","v12.2.0","v12.3.0","v12.4.0","v12.4.1","v12.4.2","v12.4.3","v12.4.4","v12.4.5","v12.4.6","v12.4.7","v13.0.0","v13.0.1","v13.1.0","v13.1.1","v13.2.0","v13.2.1","v13.3.0","v13.3.1","v13.4.0","v13.4.1","v13.4.10","v13.4.11","v13.4.12","v13.4.13","v13.4.14","v13.4.15","v13.4.16","v13.4.17","v13.4.18","v13.4.19","v13.4.2","v13.4.20","v13.4.21","v13.4.22","v13.4.23","v13.4.24","v13.4.25","v13.4.26","v13.4.27","v13.4.3","v13.4.4","v13.4.5","v13.4.6","v13.4.7","v13.4.8","v13.4.9","v14.0.0","v14.0.1","v14.0.2","v14.1.0","v14.1.1","v14.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-47127.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}