Skip to main content

Typo3 CVE-2023-24814

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-02-07 security-advisories@github.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 07, 2023 - 19:15 nvd
MEDIUM 6.1

DescriptionNVD

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv() uses the unfiltered server environment variable PATH_INFO, which allows attackers to inject malicious content. In combination with the TypoScript setting config.absRefPrefix=auto, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of GeneralUtility::getIndpEnv('SCRIPT_NAME') and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable PATH_INFO has been removed from corresponding processings in GeneralUtility::getIndpEnv(). Besides that, the public property TypoScriptFrontendController::$absRefPrefix is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting config.absRefPrefix should at least be set to a static path value, instead of using auto - e.g. config.absRefPrefix=/. This workaround does not fix all aspects of the vulnerability, and is just considered to be an intermediate mitigation to the most prominent manifestation.

AnalysisAI

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv() uses the unfiltered server environment variable PATH_INFO, which allows attackers to inject malicious content. In combination with the TypoScript setting config.absRefPrefix=auto, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of GeneralUtility::getIndpEnv('SCRIPT_NAME') and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable PATH_INFO has been removed from corresponding processings in GeneralUtility::getIndpEnv(). Besides that, the public property TypoScriptFrontendController::$absRefPrefix is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting config.absRefPrefix should at least be set to a static path value, instead of using auto - e.g. config.absRefPrefix=/. This workaround does not fix all aspects of the vulnerability, and is just considered to be an intermediate mitigation to the most prominent manifestation. Affected products include: Typo3.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Typo3

View all
CVE-2017-14251 HIGH POC
8.8 Sep 11

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php i

CVE-2014-9509 HIGH POC
7.5 Jan 04

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, w

CVE-2016-4056 MEDIUM POC
6.1 Jan 23

Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers t

CVE-2020-26227 MEDIUM POC
6.1 Nov 23

TYPO3 is an open source PHP based web content management system. Rated medium severity (CVSS 6.1), this vulnerability is

CVE-2020-15241 MEDIUM POC
6.1 Oct 08

TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vul

CVE-2020-8091 MEDIUM POC
6.1 Jan 27

svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could allow an unauthenticated, remote attacker to conduct a cr

CVE-2020-11066 CRITICAL
10.0 May 14

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.

CVE-2021-21365 MEDIUM POC
5.4 Apr 27

Bootstrap Package is a theme for TYPO3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo

CVE-2017-6370 MEDIUM POC
5.3 Mar 17

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote

CVE-2024-34537 MEDIUM POC
4.9 Oct 28

TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an

CVE-2022-23503 HIGH
8.8 Dec 14

TYPO3 is an open source PHP based web content management system. Rated high severity (CVSS 8.8), this vulnerability is r

CVE-2021-41113 HIGH
8.8 Oct 05

TYPO3 is an open source PHP based web content management system released under the GNU GPL. Rated high severity (CVSS 8.

Share

CVE-2023-24814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy