typo3/cms is vulnerable to improper access control. The expiration time of a password reset link has never been evaluated, which allows an authenticated attacker to use the password reset link to perform a password reset even if the default expiry time of two hours has been exceeded.
github.com/TYPO3/typo3/commit/00b52a443b21baaaab35f8606dbb0ce427261bb5
github.com/TYPO3/typo3/commit/56af2bd3a432156c30af9be71c9d6f7ef3a6159a
github.com/TYPO3/typo3/commit/dffc750623bce733414b28c1f236ac0112568f2f
github.com/TYPO3/typo3/security/advisories/GHSA-5959-4x58-r8c2
typo3.org/security/advisory/typo3-core-sa-2022-008