typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php · 62b218c02476ab3a4526ebfe2495b1ca49096adb · typo3 / typo3

[SECURITY] Avoid storing plain session identifier in $USER->uc · 62b218c0

Oliver Hader authored Mar 16, 2021 and

Oliver Hader committed Mar 16, 2021

`AbstractUserAuthentication::$uc['moduleSessionID']` still stored plain
session identifier, which has been replaced by corresponding HMAC.

Resolves: #93359
Releases: master, 11.1, 10.4, 9.5
Change-Id: I920b8d3b364c249d2ec3a6deb42e141e5a1b8ff7
Security-Bulletin: TYPO3-CORE-SA-2021-006
Security-References: CVE-2021-21339
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68416


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

62b218c0