cvelistv5 - cve-2023-24814

cve-2023-24814

Vulnerability from cvelistv5

Published

2023-02-07 18:14

Modified

2024-08-02 11:03

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

Summary

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.

References

URL	Tags
security-advisories@github.com	https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix	Not Applicable
security-advisories@github.com	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484	Product
security-advisories@github.com	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549	Product
security-advisories@github.com	https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a	Patch
security-advisories@github.com	https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3	Exploit, Mitigation, Vendor Advisory
security-advisories@github.com	https://typo3.org/security/advisory/typo3-core-sa-2023-001	Exploit, Mitigation, Vendor Advisory
security-advisories@github.com	https://typo3.org/security/advisory/typo3-psa-2023-001	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://typo3.org/security/advisory/typo3-core-sa-2023-001	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://typo3.org/security/advisory/typo3-psa-2023-001	Vendor Advisory

Impacted products

Vendor

Product

Version

▼

TYPO3

typo3

Version: >= 8.7.0, < 8.7.51
Version: >= 9.0.0, < 9.5.40
Version: >= 10.0.0, < 10.4.36
Version: 11.0.0, < 11.5.23
Version: >= 12.0.0, < 12.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:03:19.312Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3"
          },
          {
            "name": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a"
          },
          {
            "name": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix"
          },
          {
            "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484"
          },
          {
            "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549"
          },
          {
            "name": "https://typo3.org/security/advisory/typo3-core-sa-2023-001",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
          },
          {
            "name": "https://typo3.org/security/advisory/typo3-psa-2023-001",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://typo3.org/security/advisory/typo3-psa-2023-001"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 8.7.0, \u003c 8.7.51"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.5.40"
            },
            {
              "status": "affected",
              "version": "\u003e= 10.0.0, \u003c 10.4.36"
            },
            {
              "status": "affected",
              "version": "11.0.0, \u003c 11.5.23"
            },
            {
              "status": "affected",
              "version": "\u003e= 12.0.0, \u003c 12.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-07T18:14:29.388Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3"
        },
        {
          "name": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a"
        },
        {
          "name": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix"
        },
        {
          "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484"
        },
        {
          "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549"
        },
        {
          "name": "https://typo3.org/security/advisory/typo3-core-sa-2023-001",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
        },
        {
          "name": "https://typo3.org/security/advisory/typo3-psa-2023-001",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://typo3.org/security/advisory/typo3-psa-2023-001"
        }
      ],
      "source": {
        "advisory": "GHSA-r4f8-f93x-5qh3",
        "discovery": "UNKNOWN"
      },
      "title": "Persisted Cross-Site Scripting in Frontend Rendering in typo3"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-24814",
    "datePublished": "2023-02-07T18:14:29.388Z",
    "dateReserved": "2023-01-30T14:43:33.704Z",
    "dateUpdated": "2024-08-02T11:03:19.312Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.7.0\", \"versionEndExcluding\": \"9.7.51\", \"matchCriteriaId\": \"A0A441EE-3A04-499B-AEA3-E5869BC418DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.0.0\", \"versionEndExcluding\": \"9.5.40\", \"matchCriteriaId\": \"E7D02B4E-9050-4C4E-ABE5-00E8662145E1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"10.0.0\", \"versionEndExcluding\": \"10.4.36\", \"matchCriteriaId\": \"6AF24F98-DCD1-442F-98DB-B0DE64AC2556\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"11.0.0\", \"versionEndExcluding\": \"11.5.23\", \"matchCriteriaId\": \"2E225EC3-5236-450C-9655-AE920702AAA7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"12.0.0\", \"versionEndExcluding\": \"12.2.0\", \"matchCriteriaId\": \"7E3B9E03-7D04-4A74-8FE0-200097544319\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.\"}]",
      "id": "CVE-2023-24814",
      "lastModified": "2024-11-21T07:48:26.880",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.3}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2023-02-07T19:15:09.473",
      "references": "[{\"url\": \"https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Not Applicable\"]}, {\"url\": \"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2023-001\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://typo3.org/security/advisory/typo3-psa-2023-001\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Not Applicable\"]}, {\"url\": \"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2023-001\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://typo3.org/security/advisory/typo3-psa-2023-001\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-24814\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-07T19:15:09.473\",\"lastModified\":\"2024-11-21T07:48:26.880\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.3},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.7.0\",\"versionEndExcluding\":\"9.7.51\",\"matchCriteriaId\":\"A0A441EE-3A04-499B-AEA3-E5869BC418DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.40\",\"matchCriteriaId\":\"E7D02B4E-9050-4C4E-ABE5-00E8662145E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.4.36\",\"matchCriteriaId\":\"6AF24F98-DCD1-442F-98DB-B0DE64AC2556\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.5.23\",\"matchCriteriaId\":\"2E225EC3-5236-450C-9655-AE920702AAA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.2.0\",\"matchCriteriaId\":\"7E3B9E03-7D04-4A74-8FE0-200097544319\"}]}]}],\"references\":[{\"url\":\"https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2023-001\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-psa-2023-001\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2023-001\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://typo3.org/security/advisory/typo3-psa-2023-001\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

wid-sec-w-2023-0299

Vulnerability from csaf_certbund

Published

2023-02-06 23:00

Modified

2023-02-06 23:00

Summary

TYPO3 Core: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

TYPO3 ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in TYPO3 Core ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "TYPO3 ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in TYPO3 Core ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-0299 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0299.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-0299 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0299"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Bulletins vom 2023-02-06",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
      }
    ],
    "source_lang": "en-US",
    "title": "TYPO3 Core: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2023-02-06T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:13:14.003+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-0299",
      "initial_release_date": "2023-02-06T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-02-06T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "TYPO3 Core \u003c 12.2.0",
                "product": {
                  "name": "TYPO3 Core \u003c 12.2.0",
                  "product_id": "T026167",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:12.2.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TYPO3 Core \u003c 11.5.23",
                "product": {
                  "name": "TYPO3 Core \u003c 11.5.23",
                  "product_id": "T026168",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:11.5.23"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TYPO3 Core \u003c 10.4.36",
                "product": {
                  "name": "TYPO3 Core \u003c 10.4.36",
                  "product_id": "T026169",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:10.4.36"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Core"
          }
        ],
        "category": "vendor",
        "name": "TYPO3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-24814",
      "notes": [
        {
          "category": "description",
          "text": "In TYPO3 Core existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in der Server-Umgebungsvariable PATH_INFO nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2023-02-06T23:00:00Z",
      "title": "CVE-2023-24814"
    }
  ]
}

WID-SEC-W-2023-0299

Vulnerability from csaf_certbund

Published

2023-02-06 23:00

Modified

2023-02-06 23:00

Summary

TYPO3 Core: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Produktbeschreibung

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in TYPO3 Core ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "TYPO3 ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in TYPO3 Core ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-0299 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0299.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-0299 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0299"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Bulletins vom 2023-02-06",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
      }
    ],
    "source_lang": "en-US",
    "title": "TYPO3 Core: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2023-02-06T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:13:14.003+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-0299",
      "initial_release_date": "2023-02-06T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-02-06T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "TYPO3 Core \u003c 12.2.0",
                "product": {
                  "name": "TYPO3 Core \u003c 12.2.0",
                  "product_id": "T026167",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:12.2.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TYPO3 Core \u003c 11.5.23",
                "product": {
                  "name": "TYPO3 Core \u003c 11.5.23",
                  "product_id": "T026168",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:11.5.23"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "TYPO3 Core \u003c 10.4.36",
                "product": {
                  "name": "TYPO3 Core \u003c 10.4.36",
                  "product_id": "T026169",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:10.4.36"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Core"
          }
        ],
        "category": "vendor",
        "name": "TYPO3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-24814",
      "notes": [
        {
          "category": "description",
          "text": "In TYPO3 Core existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in der Server-Umgebungsvariable PATH_INFO nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2023-02-06T23:00:00Z",
      "title": "CVE-2023-24814"
    }
  ]
}

ghsa-r4f8-f93x-5qh3

Vulnerability from github

Published

2023-02-08 21:33

Modified

2023-02-16 19:07

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

Summary

TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering

Details

CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C (8.2)

Problem

TYPO3 core component GeneralUtility::getIndpEnv() uses the unfiltered server environment variable PATH_INFO, which allows attackers to inject malicious content.

In combination with the TypoScript setting config.absRefPrefix=auto, attackers can inject malicious HTML code into pages that have not yet been rendered and cached. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting).

Individual code which relies on the resolved value of GeneralUtility::getIndpEnv('SCRIPT_NAME') and corresponding usages (as shown below) are vulnerable as well.

GeneralUtility::getIndpEnv('PATH_INFO')
GeneralUtility::getIndpEnv('SCRIPT_NAME')
GeneralUtility::getIndpEnv('TYPO3_REQUEST_DIR')
GeneralUtility::getIndpEnv('TYPO3_REQUEST_SCRIPT')
GeneralUtility::getIndpEnv('TYPO3_SITE_PATH')
GeneralUtility::getIndpEnv('TYPO3_SITE_SCRIPT')
GeneralUtility::getIndpEnv('TYPO3_SITE_URL')

Installations of TYPO3 versions 8.7 and 9.x are probably only affected when server environment variable TYPO3_PATH_ROOT is defined - which is the case if they were installed via Composer.

Additional investigations confirmed that Apache and Microsoft IIS web servers using PHP-CGI (FPM, FCGI/FastCGI, or similar) are affected. There might be the risk that nginx is vulnerable as well. It was not possible to exploit Apache/mod_php scenarios.

Solution

The usage of server environment variable PATH_INFO has been removed from corresponding processings in GeneralUtility::getIndpEnv(). Besides that, the public property TypoScriptFrontendController::$absRefPrefix is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability.

Update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.36 LTS, 11.5.23 LTS and 12.2.0 that fix the problem described above.

ℹ️ Strong security defaults - Manual actions required Any web server using PHP-CGI (FPM, FCGI/FastCGI, or similar) needs to ensure that the PHP setting cgi.fix_pathinfo=1 is used, which is the default PHP setting. In case this setting is not enabled, an exception is thrown to avoid continuing with invalid path information.

For websites that cannot be patched timely the TypoScript setting config.absRefPrefix at least should be set to a static path value, instead of using auto - e.g. config.absRefPrefix=/ - this does not fix all aspects of the vulnerability, and is just considered to be an intermediate mitigation to the most prominent manifestation.

References

TYPO3-CORE-SA-2023-001
TYPO3-CORE-PSA-2023-001 pre-announcement

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.7.0"
            },
            {
              "fixed": "8.7.51"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T21:33:24Z",
    "nvd_published_at": "2023-02-07T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "\u003e ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C` (8.2)\n\n### Problem\nTYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content.\n\nIn combination with the TypoScript setting [`config.absRefPrefix=auto`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549), attackers can inject malicious HTML code into pages that have not yet been rendered and cached. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting).\n\nIndividual code which relies on the resolved value of [`GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484) and corresponding usages (as shown below) are vulnerable as well.\n\n- `GeneralUtility::getIndpEnv(\u0027PATH_INFO\u0027) `\n- `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027) `\n- `GeneralUtility::getIndpEnv(\u0027TYPO3_REQUEST_DIR\u0027)`\n- `GeneralUtility::getIndpEnv(\u0027TYPO3_REQUEST_SCRIPT\u0027)`\n- `GeneralUtility::getIndpEnv(\u0027TYPO3_SITE_PATH\u0027)`\n- `GeneralUtility::getIndpEnv(\u0027TYPO3_SITE_SCRIPT\u0027)`\n- `GeneralUtility::getIndpEnv(\u0027TYPO3_SITE_URL\u0027)`\n\nInstallations of TYPO3 versions 8.7 and 9.x are probably only affected when server environment variable [`TYPO3_PATH_ROOT`](https://docs.typo3.org/m/typo3/reference-coreapi/9.5/en-us/ApiOverview/Environment/Index.html#configuring-environment-paths) is defined - which is the case if they were installed via Composer.\n\nAdditional investigations confirmed that Apache and Microsoft IIS web servers using PHP-CGI (FPM, FCGI/FastCGI, or similar) are affected. There might be the risk that nginx is vulnerable as well. It was not possible to exploit Apache/mod_php scenarios.\n\n### Solution\nThe usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability.\n\nUpdate to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.36 LTS, 11.5.23 LTS and 12.2.0 that fix the problem described above.\n\n\u003e \u2139\ufe0f **Strong security defaults - Manual actions required**\n\u003e Any web server using PHP-CGI (FPM, FCGI/FastCGI, or similar) needs to ensure that the PHP setting [**`cgi.fix_pathinfo=1`**](https://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo) is used, which is the default PHP setting. In case this setting is not enabled, an exception is thrown to avoid continuing with invalid path information.\n\nFor websites that cannot be patched timely the TypoScript setting [`config.absRefPrefix`](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix) at least should be set to a static path value, instead of using `auto` - e.g. `config.absRefPrefix=/` - this **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.\n\n### References\n* [TYPO3-CORE-SA-2023-001](https://typo3.org/security/advisory/typo3-core-sa-2023-001)\n* [TYPO3-CORE-PSA-2023-001](https://typo3.org/security/advisory/typo3-psa-2023-001) *pre-announcement*",
  "id": "GHSA-r4f8-f93x-5qh3",
  "modified": "2023-02-16T19:07:25Z",
  "published": "2023-02-08T21:33:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24814"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a"
    },
    {
      "type": "WEB",
      "url": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2023-24814.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3/typo3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-psa-2023-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering"
}

gsd-2023-24814

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-24814

Aliases

CVE-2023-24814

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-24814",
    "id": "GSD-2023-24814"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-24814"
      ],
      "details": "TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.",
      "id": "GSD-2023-24814",
      "modified": "2023-12-13T01:20:57.996944Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-24814",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "typo3",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 8.7.0, \u003c 8.7.51"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 9.0.0, \u003c 9.5.40"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 10.0.0, \u003c 10.4.36"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "11.0.0, \u003c 11.5.23"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 12.0.0, \u003c 12.2.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "TYPO3"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3",
            "refsource": "MISC",
            "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3"
          },
          {
            "name": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a",
            "refsource": "MISC",
            "url": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a"
          },
          {
            "name": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix",
            "refsource": "MISC",
            "url": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix"
          },
          {
            "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484",
            "refsource": "MISC",
            "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484"
          },
          {
            "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549",
            "refsource": "MISC",
            "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549"
          },
          {
            "name": "https://typo3.org/security/advisory/typo3-core-sa-2023-001",
            "refsource": "MISC",
            "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
          },
          {
            "name": "https://typo3.org/security/advisory/typo3-psa-2023-001",
            "refsource": "MISC",
            "url": "https://typo3.org/security/advisory/typo3-psa-2023-001"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-r4f8-f93x-5qh3",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.7.0,\u003c9.7.51||\u003e=10.0.0,\u003c10.4.36||\u003e=11.0.0,\u003c11.5.23||\u003e=12.0.0,\u003c12.2.0",
          "affected_versions": "All versions starting from 8.7.0 before 9.7.51, all versions starting from 10.0.0 before 10.4.36, all versions starting from 11.0.0 before 11.5.23, all versions starting from 12.0.0 before 12.2.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-02-16",
          "description": "TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) is vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php is vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.",
          "fixed_versions": [
            "10.4.36",
            "11.5.23",
            "12.2.0"
          ],
          "identifier": "CVE-2023-24814",
          "identifiers": [
            "CVE-2023-24814",
            "GHSA-r4f8-f93x-5qh3"
          ],
          "not_impacted": "All versions before 8.7.0, all versions starting from 9.7.51 before 10.0.0, all versions starting from 10.4.36 before 11.0.0, all versions starting from 11.5.23 before 12.0.0, all versions starting from 12.2.0",
          "package_slug": "packagist/typo3/cms-core",
          "pubdate": "2023-02-07",
          "solution": "Upgrade to versions 10.4.36, 11.5.23, 12.2.0 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-24814",
            "https://typo3.org/security/advisory/typo3-psa-2023-001",
            "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484",
            "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a",
            "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549",
            "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3",
            "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix",
            "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
          ],
          "uuid": "333b6593-7f1a-4987-911a-b702eddd63d4"
        },
        {
          "affected_range": "\u003e=8.7.0,\u003c9.7.51||\u003e=10.0.0,\u003c10.4.36||\u003e=11.0.0,\u003c11.5.23||\u003e=12.0.0,\u003c12.2.0",
          "affected_versions": "All versions starting from 8.7.0 before 9.7.51, all versions starting from 10.0.0 before 10.4.36, all versions starting from 11.0.0 before 11.5.23, all versions starting from 12.0.0 before 12.2.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-02-16",
          "description": "TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) is vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php is vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.",
          "fixed_versions": [
            "10.4.36",
            "11.5.23",
            "12.2.0"
          ],
          "identifier": "CVE-2023-24814",
          "identifiers": [
            "CVE-2023-24814",
            "GHSA-r4f8-f93x-5qh3"
          ],
          "not_impacted": "All versions before 8.7.0, all versions starting from 9.7.51 before 10.0.0, all versions starting from 10.4.36 before 11.0.0, all versions starting from 11.5.23 before 12.0.0, all versions starting from 12.2.0",
          "package_slug": "packagist/typo3/cms",
          "pubdate": "2023-02-07",
          "solution": "Upgrade to versions 10.4.36, 11.5.23, 12.2.0 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-24814",
            "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a",
            "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix",
            "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2023-24814.yaml",
            "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484",
            "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549",
            "https://typo3.org/security/advisory/typo3-core-sa-2023-001",
            "https://typo3.org/security/advisory/typo3-psa-2023-001",
            "https://github.com/advisories/GHSA-r4f8-f93x-5qh3"
          ],
          "uuid": "2e5ef9da-0b85-4904-99d8-078c8f8caa81"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "12.2.0",
                "versionStartIncluding": "12.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "11.5.23",
                "versionStartIncluding": "11.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "10.4.36",
                "versionStartIncluding": "10.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.5.40",
                "versionStartIncluding": "9.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.7.51",
                "versionStartIncluding": "8.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-24814"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://typo3.org/security/advisory/typo3-psa-2023-001",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://typo3.org/security/advisory/typo3-psa-2023-001"
            },
            {
              "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484"
            },
            {
              "name": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a"
            },
            {
              "name": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549"
            },
            {
              "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3"
            },
            {
              "name": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix",
              "refsource": "MISC",
              "tags": [
                "Not Applicable"
              ],
              "url": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix"
            },
            {
              "name": "https://typo3.org/security/advisory/typo3-core-sa-2023-001",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-02-16T16:38Z",
      "publishedDate": "2023-02-07T19:15Z"
    }
  }
}

cve-2023-24814

Vulnerability from fkie_nvd

Published

2023-02-07 19:15

Modified

2024-11-21 07:48

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix	Not Applicable
security-advisories@github.com	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484	Product
security-advisories@github.com	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549	Product
security-advisories@github.com	https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a	Patch
security-advisories@github.com	https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3	Exploit, Mitigation, Vendor Advisory
security-advisories@github.com	https://typo3.org/security/advisory/typo3-core-sa-2023-001	Exploit, Mitigation, Vendor Advisory
security-advisories@github.com	https://typo3.org/security/advisory/typo3-psa-2023-001	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://typo3.org/security/advisory/typo3-core-sa-2023-001	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://typo3.org/security/advisory/typo3-psa-2023-001	Vendor Advisory

Impacted products

Vendor	Product	Version
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0A441EE-3A04-499B-AEA3-E5869BC418DF",
              "versionEndExcluding": "9.7.51",
              "versionStartIncluding": "8.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7D02B4E-9050-4C4E-ABE5-00E8662145E1",
              "versionEndExcluding": "9.5.40",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AF24F98-DCD1-442F-98DB-B0DE64AC2556",
              "versionEndExcluding": "10.4.36",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E225EC3-5236-450C-9655-AE920702AAA7",
              "versionEndExcluding": "11.5.23",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E3B9E03-7D04-4A74-8FE0-200097544319",
              "versionEndExcluding": "12.2.0",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv(\u0027SCRIPT_NAME\u0027)` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation."
    }
  ],
  "id": "CVE-2023-24814",
  "lastModified": "2024-11-21T07:48:26.880",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-07T19:15:09.473",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-psa-2023-001"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-r4f8-f93x-5qh3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2023-001"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-psa-2023-001"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2023-24814

Vulnerability from cvelistv5

wid-sec-w-2023-0299

Vulnerability from csaf_certbund

WID-SEC-W-2023-0299

Vulnerability from csaf_certbund

ghsa-r4f8-f93x-5qh3

Vulnerability from github

CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C (8.2)

Problem

Solution

References

gsd-2023-24814

Vulnerability from gsd

cve-2023-24814

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature

CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C` (8.2)