CVE-2022-23501: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP-based web content management system, was found to contain an Improper Authentication vulnerability (CVE-2022-23501) affecting versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1. The vulnerability was disclosed on December 14, 2022, and allows bypassing frontend login restrictions for specific users organized in different storage folders (partitions) (NVD, TYPO3 Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (MEDIUM) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. However, TYPO3's own assessment rates it at 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N. The vulnerability stems from improper authentication mechanisms in the frontend login system, specifically in how user access restrictions are enforced across different storage partitions (NVD).

The vulnerability allows potential attackers to bypass user access restrictions and gain access to different accounts within the system. However, it's important to note that the attacker must know the credentials of the target account to successfully exploit this vulnerability (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, and 12.1.1. Users are advised to update to these patched versions to address the security issue (TYPO3 Advisory).