Skip to content
Snippets Groups Projects
Commit 00b52a44 authored by Torben Hansen's avatar Torben Hansen Committed by Oliver Hader
Browse files

[SECURITY] Respect expiration time of password reset token 

When a TYPO3 backend user performs a password reset request, a
password reset link including an expiration time is sent to the
user. The expiration time is included in HMAC calculation of
the saved password reset hash, but it is never evaluated if the
expiration time is exceeded.

This change adds the missing validity check for the expiration
time included in the password reset link.

Resolves: #97998
Releases: main, 11.5, 10.4
Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637
Security-Bulletin: TYPO3-CORE-SA-2022-008
Security-References: CVE-2022-36106
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75711


Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent f0fc9c4c
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment