[SECURITY] Avoid storing plain session identifier in $USER->uc (6b8a1e13) · Commits · TYPO3 / TYPO3.CMS

Commit 6b8a1e13 authored 4 years ago by

Oliver Hader Committed by Oliver Hader 4 years ago

[SECURITY] Avoid storing plain session identifier in $USER->uc

`AbstractUserAuthentication::$uc['moduleSessionID']` still stored plain
session identifier, which has been replaced by corresponding HMAC.

Resolves: #93359
Releases: master, 11.1, 10.4, 9.5
Change-Id: I920b8d3b364c249d2ec3a6deb42e141e5a1b8ff7
Security-Bulletin: TYPO3-CORE-SA-2021-006
Security-References: CVE-2021-21339
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68439


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

parent d339f493

Branches