GHSA-82vp-jr39-4j2j: 
PHP vulnerability analysis and mitigation

A security misconfiguration vulnerability was discovered in TYPO3 CMS's Frontend Session Handling component, affecting versions 8.5.0-8.7.26 and 9.0.0-9.5.7. The vulnerability was disclosed on June 25, 2019, and was assigned a low severity rating. The issue impacts the frontend session handling functionality in the TYPO3 CMS core (TYPO3 Advisory).

The vulnerability occurs when frontend users log out, as their session data (such as shopping cart information) is transformed into an anonymous session. This session transformation process creates a security risk where subsequent users using the same browser could potentially access the previous user's session data. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (GitHub Advisory).

The vulnerability could lead to unauthorized access to previous user session data, potentially exposing sensitive information to subsequent users who use the same client application. This primarily affects the confidentiality of user data, with a high impact on data confidentiality and a low impact on data integrity (GitHub Advisory).

The vulnerability has been patched in TYPO3 versions 8.7.27 and 9.5.8. The fix implements strong security defaults where existing session data is purged when a frontend user logs out. For organizations that require the previous behavior, a configuration option has been introduced: $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.keepSessionDataOnLogout'] = 1. This can be set using either the Install Tool or appropriate deployment techniques (TYPO3 Advisory).