VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-gnqs-bnva-33hj

Essentials
Severities (13)
References (7)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-gnqs-bnva-33hj
Aliases	CVE-2024-55892 GHSA-2fx5-pggv-6jjr
Summary	TYPO3 Potential Open Redirect via Parsing Differences ### Problem Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. ### Solution Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. ### Credits Thanks to Sam Mush and Christian Eßl who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2025-002](https://typo3.org/security/advisory/typo3-core-sa-2025-002)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-601	URL Redirection to Untrusted Site ('Open Redirect')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00047	https://api.first.org/data/v1/epss?cve=CVE-2024-55892
cvssv3.1	4.8	https://github.com/TYPO3/typo3
generic_textual	MODERATE	https://github.com/TYPO3/typo3
cvssv3.1	4.8	https://github.com/TYPO3/typo3/commit/a4abf48d254685f43383e6e7f80d48aebaea56af
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/a4abf48d254685f43383e6e7f80d48aebaea56af
cvssv3.1	4.8	https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr
generic_textual	MODERATE	https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr
ssvc	Track	https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr
cvssv3.1	4.8	https://nvd.nist.gov/vuln/detail/CVE-2024-55892
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-55892
cvssv3.1	4.8	https://typo3.org/security/advisory/typo3-core-sa-2025-002
generic_textual	MODERATE	https://typo3.org/security/advisory/typo3-core-sa-2025-002
ssvc	Track	https://typo3.org/security/advisory/typo3-core-sa-2025-002

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-55892
		https://github.com/TYPO3/typo3
		https://github.com/TYPO3/typo3/commit/a4abf48d254685f43383e6e7f80d48aebaea56af
		https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr
		https://nvd.nist.gov/vuln/detail/CVE-2024-55892
		https://typo3.org/security/advisory/typo3-core-sa-2025-002
GHSA-2fx5-pggv-6jjr		https://github.com/advisories/GHSA-2fx5-pggv-6jjr

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3/commit/a4abf48d254685f43383e6e7f80d48aebaea56af

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:12:41Z/ Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-2fx5-pggv-6jjr

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-55892

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://typo3.org/security/advisory/typo3-core-sa-2025-002

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T20:12:41Z/ Found at https://typo3.org/security/advisory/typo3-core-sa-2025-002

Exploit Prediction Scoring System (EPSS)

Percentile	0.14663
EPSS Score	0.00047
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:12:15.667900+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-2fx5-pggv-6jjr/GHSA-2fx5-pggv-6jjr.json	36.1.3