typo3/cms is vulnerable to session fixation. The vulnerability exists because the setAuthorizedAndRedirect
function of BackendModuleController.php
does not properly revoke tokens after the user account was degraded to lower permissions or disabled completely.
github.com/TYPO3/typo3/commit/1b68d0fad1d5473477e432467de28436cc72283c
github.com/TYPO3/typo3/commit/40f1ea7b84f82809c437839c5bfcfea33aad3d75
github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d
github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq
typo3.org/security/advisory/typo3-core-sa-2022-005