Search for packages
Package details: pkg:composer/typo3/cms@11.5.20
purl pkg:composer/typo3/cms@11.5.20
Next non-vulnerable version 11.5.23
Latest non-vulnerable version 12.2.0
Risk
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-swwb-fm9u-tucv
Aliases:
CVE-2023-24814
GHSA-r4f8-f93x-5qh3
TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C` (8.2) ### Problem TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting [`config.absRefPrefix=auto`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549), attackers can inject malicious HTML code into pages that have not yet been rendered and cached. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of [`GeneralUtility::getIndpEnv('SCRIPT_NAME')`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484) and corresponding usages (as shown below) are vulnerable as well. - `GeneralUtility::getIndpEnv('PATH_INFO') ` - `GeneralUtility::getIndpEnv('SCRIPT_NAME') ` - `GeneralUtility::getIndpEnv('TYPO3_REQUEST_DIR')` - `GeneralUtility::getIndpEnv('TYPO3_REQUEST_SCRIPT')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_PATH')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_SCRIPT')` - `GeneralUtility::getIndpEnv('TYPO3_SITE_URL')` Installations of TYPO3 versions 8.7 and 9.x are probably only affected when server environment variable [`TYPO3_PATH_ROOT`](https://docs.typo3.org/m/typo3/reference-coreapi/9.5/en-us/ApiOverview/Environment/Index.html#configuring-environment-paths) is defined - which is the case if they were installed via Composer. Additional investigations confirmed that Apache and Microsoft IIS web servers using PHP-CGI (FPM, FCGI/FastCGI, or similar) are affected. There might be the risk that nginx is vulnerable as well. It was not possible to exploit Apache/mod_php scenarios. ### Solution The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.36 LTS, 11.5.23 LTS and 12.2.0 that fix the problem described above. > ℹ️ **Strong security defaults - Manual actions required** > Any web server using PHP-CGI (FPM, FCGI/FastCGI, or similar) needs to ensure that the PHP setting [**`cgi.fix_pathinfo=1`**](https://www.php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo) is used, which is the default PHP setting. In case this setting is not enabled, an exception is thrown to avoid continuing with invalid path information. For websites that cannot be patched timely the TypoScript setting [`config.absRefPrefix`](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix) at least should be set to a static path value, instead of using `auto` - e.g. `config.absRefPrefix=/` - this **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation. ### References * [TYPO3-CORE-SA-2023-001](https://typo3.org/security/advisory/typo3-core-sa-2023-001) * [TYPO3-CORE-PSA-2023-001](https://typo3.org/security/advisory/typo3-psa-2023-001) *pre-announcement*
11.5.23
Affected by 0 other vulnerabilities.
12.2.0
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (6)
Vulnerability Summary Aliases
VCID-c4su-ykce-xkh3 TYPO3 HTML Sanitizer vulnerable to Cross-Site Scripting ### Problem Due to a parsing issue in the upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML CDATA sections cannot be filtered and sanitized. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). Besides that, the upstream package `masterminds/html5` provides HTML raw text elements (`script`, `style`, `noframes`, `noembed` and `iframe`) as DOMText nodes, which were not processed and sanitized further. None of the mentioned elements were defined in the default builder configuration, that's why only custom behaviors, using one of those tag names, were vulnerable to cross-site scripting. ### Solution Update to `typo3/html-sanitizer` versions 1.5.0 or 2.1.1 that fix the problem described. CVE-2022-23499
GHSA-hvwx-qh2h-xcfj
VCID-kh9n-kuvd-pbat TYPO3 CMS vulnerable to Weak Authentication in Frontend Login ### Problem Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-013](https://typo3.org/security/advisory/typo3-core-sa-2022-013) CVE-2022-23501
GHSA-jfp7-79g7-89rf
VCID-pn6v-bye1-33fu TYPO3 CMS vulnerable to Denial of Service in Page Error Handling ### Problem Requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in [TYPO3-CORE-SA-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005) (CVE-2021-21359). ### Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33 or 11.5.20 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-012](https://typo3.org/security/advisory/typo3-core-sa-2022-012) CVE-2022-23500
GHSA-8c28-5mp7-v24h
VCID-twj9-9jqv-vkcx TYPO3 CMS vulnerable to Insufficient Session Expiration after Password Reset ### Problem When users reset their password using the corresponding password recovery functionality, existing sessions for that particular user account were not revoked. This applied to both frontend user sessions and backend user sessions. ### Solution Update to TYPO3 versions 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-014](https://typo3.org/security/advisory/typo3-core-sa-2022-014) CVE-2022-23502
GHSA-mgj2-q8wp-29rr
VCID-u8we-bkyu-83b8 TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework ### Problem Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015) CVE-2022-23503
GHSA-c5wx-6c2c-f7rm
VCID-vecz-7yug-dbcx TYPO3 CMS vulnerable to Sensitive Information Disclosure via YAML Placeholder Expressions in Site Configuration > ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.3) ### Problem Due to the lack of handling user-submitted [YAML placeholder expressions](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Configuration/Yaml/YamlApi.html#custom-placeholder-processing) in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-016](https://typo3.org/security/advisory/typo3-core-sa-2022-016) CVE-2022-23504
GHSA-8w3p-qh3x-6gjr

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T18:38:34.244417+00:00 GitLab Importer Affected by VCID-swwb-fm9u-tucv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-24814.yml 37.0.0
2025-07-03T18:36:18.292845+00:00 GitLab Importer Fixing VCID-twj9-9jqv-vkcx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23502.yml 37.0.0
2025-07-03T18:36:17.295636+00:00 GitLab Importer Fixing VCID-pn6v-bye1-33fu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23500.yml 37.0.0
2025-07-03T18:36:15.643140+00:00 GitLab Importer Fixing VCID-u8we-bkyu-83b8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23503.yml 37.0.0
2025-07-03T18:36:14.138498+00:00 GitLab Importer Fixing VCID-kh9n-kuvd-pbat https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2022-23501.yml 37.0.0
2025-07-01T14:34:11.624680+00:00 GHSA Importer Fixing VCID-vecz-7yug-dbcx https://github.com/advisories/GHSA-8w3p-qh3x-6gjr 36.1.3
2025-07-01T14:34:11.410932+00:00 GHSA Importer Fixing VCID-u8we-bkyu-83b8 https://github.com/advisories/GHSA-c5wx-6c2c-f7rm 36.1.3
2025-07-01T14:34:11.390831+00:00 GHSA Importer Fixing VCID-twj9-9jqv-vkcx https://github.com/advisories/GHSA-mgj2-q8wp-29rr 36.1.3
2025-07-01T14:34:11.239329+00:00 GHSA Importer Fixing VCID-kh9n-kuvd-pbat https://github.com/advisories/GHSA-jfp7-79g7-89rf 36.1.3
2025-07-01T14:34:11.041584+00:00 GHSA Importer Fixing VCID-pn6v-bye1-33fu https://github.com/advisories/GHSA-8c28-5mp7-v24h 36.1.3
2025-07-01T14:34:10.931747+00:00 GHSA Importer Fixing VCID-c4su-ykce-xkh3 https://github.com/advisories/GHSA-hvwx-qh2h-xcfj 36.1.3
2025-07-01T12:23:56.274694+00:00 GithubOSV Importer Fixing VCID-twj9-9jqv-vkcx https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-mgj2-q8wp-29rr/GHSA-mgj2-q8wp-29rr.json 36.1.3
2025-07-01T12:23:55.664380+00:00 GithubOSV Importer Fixing VCID-u8we-bkyu-83b8 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c5wx-6c2c-f7rm/GHSA-c5wx-6c2c-f7rm.json 36.1.3
2025-07-01T12:23:55.469260+00:00 GithubOSV Importer Fixing VCID-pn6v-bye1-33fu https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-8c28-5mp7-v24h/GHSA-8c28-5mp7-v24h.json 36.1.3
2025-07-01T12:23:53.460931+00:00 GithubOSV Importer Fixing VCID-vecz-7yug-dbcx https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-8w3p-qh3x-6gjr/GHSA-8w3p-qh3x-6gjr.json 36.1.3
2025-07-01T12:23:47.080996+00:00 GithubOSV Importer Fixing VCID-kh9n-kuvd-pbat https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-jfp7-79g7-89rf/GHSA-jfp7-79g7-89rf.json 36.1.3
2025-07-01T12:23:43.296766+00:00 GithubOSV Importer Fixing VCID-c4su-ykce-xkh3 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hvwx-qh2h-xcfj/GHSA-hvwx-qh2h-xcfj.json 36.1.3