VulnerableCode Package Details - pkg:composer/typo3/cms@12.1.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-vyvy-y3cw-hbgr Aliases: CVE-2023-24814 GHSA-r4f8-f93x-5qh3	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) is vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php is vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround does not fix all aspects of the vulnerability, and is just considered to be an intermediate mitigation to the most prominent manifestation.	12.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-vyvy-y3cw-hbgr
Aliases:
CVE-2023-24814
GHSA-r4f8-f93x-5qh3

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) is vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php is vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation.

12.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-8sdd-b1bn-cuhx	TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset ### Problem When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. ### Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014)	CVE-2022-23502 GHSA-mgj2-q8wp-29rr GMS-2022-8135
VCID-t1n7-eswt-73gw	TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework ### Problem Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015)	CVE-2022-23503 GHSA-c5wx-6c2c-f7rm GMS-2022-8132
VCID-w13x-3rp9-wyej	TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.3) ### Problem Due to the lack of handling user-submitted [YAML placeholder expressions](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Configuration/Yaml/YamlApi.html#custom-placeholder-processing) in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-016](https://typo3.org/security/advisory/typo3-core-sa-2022-016)	CVE-2022-23504 GHSA-8w3p-qh3x-6gjr GMS-2022-8131
VCID-yj9g-uz1a-jkf2	TYPO3 HTML Sanitizer vulnerable to Cross-Site Scripting ### Problem Due to a parsing issue in the upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). Besides that, the upstream package `masterminds/html5` provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. ### Solution Update to `typo3/html-sanitizer` versions 1.5.0 or 2.1.1 that fix the problem described.	CVE-2022-23499 GHSA-hvwx-qh2h-xcfj GMS-2022-8136
VCID-zdq2-dhb2-6kaq	TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013)	CVE-2022-23501 GHSA-jfp7-79g7-89rf GMS-2022-8134

Vulnerability

Summary

Aliases

VCID-8sdd-b1bn-cuhx

TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset ### Problem When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. ### Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014)

CVE-2022-23502
GHSA-mgj2-q8wp-29rr
GMS-2022-8135

VCID-t1n7-eswt-73gw

TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework ### Problem Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015)

CVE-2022-23503
GHSA-c5wx-6c2c-f7rm
GMS-2022-8132

VCID-w13x-3rp9-wyej

TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.3) ### Problem Due to the lack of handling user-submitted [YAML placeholder expressions](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Configuration/Yaml/YamlApi.html#custom-placeholder-processing) in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-016](https://typo3.org/security/advisory/typo3-core-sa-2022-016)

CVE-2022-23504
GHSA-8w3p-qh3x-6gjr
GMS-2022-8131

VCID-yj9g-uz1a-jkf2

TYPO3 HTML Sanitizer vulnerable to Cross-Site Scripting ### Problem Due to a parsing issue in the upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). Besides that, the upstream package `masterminds/html5` provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. ### Solution Update to `typo3/html-sanitizer` versions 1.5.0 or 2.1.1 that fix the problem described.

CVE-2022-23499
GHSA-hvwx-qh2h-xcfj
GMS-2022-8136

VCID-zdq2-dhb2-6kaq

TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013)

CVE-2022-23501
GHSA-jfp7-79g7-89rf
GMS-2022-8134

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:21:18.136738+00:00	GitLab Importer	Affected by	VCID-vyvy-y3cw-hbgr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-24814.yml	38.4.0
2026-04-16T22:18:15.414185+00:00	GitLab Importer	Fixing	VCID-8sdd-b1bn-cuhx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23502.yml	38.4.0
2026-04-16T22:18:11.197379+00:00	GitLab Importer	Fixing	VCID-t1n7-eswt-73gw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23503.yml	38.4.0
2026-04-16T22:18:09.009196+00:00	GitLab Importer	Fixing	VCID-zdq2-dhb2-6kaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23501.yml	38.4.0
2026-04-11T23:39:19.587250+00:00	GitLab Importer	Affected by	VCID-vyvy-y3cw-hbgr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-24814.yml	38.3.0
2026-04-11T23:35:49.006880+00:00	GitLab Importer	Fixing	VCID-8sdd-b1bn-cuhx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23502.yml	38.3.0
2026-04-11T23:35:43.857346+00:00	GitLab Importer	Fixing	VCID-t1n7-eswt-73gw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23503.yml	38.3.0
2026-04-11T23:35:40.777448+00:00	GitLab Importer	Fixing	VCID-zdq2-dhb2-6kaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23501.yml	38.3.0
2026-04-03T21:28:32.891637+00:00	GitLab Importer	Fixing	VCID-w13x-3rp9-wyej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23504.yml	38.1.0
2026-04-03T21:28:32.634185+00:00	GitLab Importer	Fixing	VCID-yj9g-uz1a-jkf2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23499.yml	38.1.0
2026-04-02T23:43:30.344617+00:00	GitLab Importer	Affected by	VCID-vyvy-y3cw-hbgr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-24814.yml	38.1.0
2026-04-02T23:40:22.037004+00:00	GitLab Importer	Fixing	VCID-8sdd-b1bn-cuhx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23502.yml	38.1.0
2026-04-02T23:40:18.680640+00:00	GitLab Importer	Fixing	VCID-t1n7-eswt-73gw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23503.yml	38.1.0
2026-04-02T23:40:16.503580+00:00	GitLab Importer	Fixing	VCID-zdq2-dhb2-6kaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23501.yml	38.1.0
2026-04-02T16:58:37.547537+00:00	GHSA Importer	Fixing	VCID-w13x-3rp9-wyej	https://github.com/advisories/GHSA-8w3p-qh3x-6gjr	38.1.0
2026-04-02T16:58:37.484477+00:00	GHSA Importer	Fixing	VCID-t1n7-eswt-73gw	https://github.com/advisories/GHSA-c5wx-6c2c-f7rm	38.1.0
2026-04-02T16:58:37.154210+00:00	GHSA Importer	Fixing	VCID-8sdd-b1bn-cuhx	https://github.com/advisories/GHSA-mgj2-q8wp-29rr	38.1.0
2026-04-02T16:58:36.964396+00:00	GHSA Importer	Fixing	VCID-zdq2-dhb2-6kaq	https://github.com/advisories/GHSA-jfp7-79g7-89rf	38.1.0
2026-04-02T16:58:36.504211+00:00	GHSA Importer	Fixing	VCID-yj9g-uz1a-jkf2	https://github.com/advisories/GHSA-hvwx-qh2h-xcfj	38.1.0
2026-04-01T18:06:24.065464+00:00	GitLab Importer	Affected by	VCID-vyvy-y3cw-hbgr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-24814.yml	38.0.0
2026-04-01T18:02:53.987267+00:00	GitLab Importer	Fixing	VCID-8sdd-b1bn-cuhx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23502.yml	38.0.0
2026-04-01T18:02:50.520801+00:00	GitLab Importer	Fixing	VCID-t1n7-eswt-73gw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23503.yml	38.0.0
2026-04-01T18:02:47.719353+00:00	GitLab Importer	Fixing	VCID-zdq2-dhb2-6kaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23501.yml	38.0.0
2026-04-01T13:06:01.556469+00:00	GithubOSV Importer	Fixing	VCID-8sdd-b1bn-cuhx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-mgj2-q8wp-29rr/GHSA-mgj2-q8wp-29rr.json	38.0.0
2026-04-01T13:06:01.009927+00:00	GithubOSV Importer	Fixing	VCID-t1n7-eswt-73gw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5wx-6c2c-f7rm/GHSA-c5wx-6c2c-f7rm.json	38.0.0
2026-04-01T13:05:59.121959+00:00	GithubOSV Importer	Fixing	VCID-w13x-3rp9-wyej	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-8w3p-qh3x-6gjr/GHSA-8w3p-qh3x-6gjr.json	38.0.0
2026-04-01T13:05:53.566837+00:00	GithubOSV Importer	Fixing	VCID-zdq2-dhb2-6kaq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-jfp7-79g7-89rf/GHSA-jfp7-79g7-89rf.json	38.0.0
2026-04-01T13:05:50.342051+00:00	GithubOSV Importer	Fixing	VCID-yj9g-uz1a-jkf2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hvwx-qh2h-xcfj/GHSA-hvwx-qh2h-xcfj.json	38.0.0