typo3/cms and typo3/cms-core are vulnerable to insecure session management. An attacker is able to bypass authentication when a user resets their password using the corresponding password recovery functionality, as existing sessions for that particular user account are not revoked.
github.com/advisories/GHSA-mgj2-q8wp-29rr
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23502.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23502.yaml
github.com/TYPO3/typo3/commit/4a41c71b8c7b4622633ee4b6ce1da065a7158760
github.com/TYPO3/typo3/commit/4ad509273a5535ab5da74e2b547b640683fad0e5
github.com/TYPO3/typo3/commit/d9ffbf24fcc62068033ebb3912538347bd380a6c
github.com/TYPO3/typo3/security/advisories/GHSA-mgj2-q8wp-29rr
typo3.org/security/advisory/typo3-core-sa-2022-014