Search for vulnerabilities
Vulnerability details: VCID-rppe-tezz-jyhc
Vulnerability ID VCID-rppe-tezz-jyhc
Aliases CVE-2022-36104
GHSA-fffr-7x4x-f98q
Summary TYPO3 CMS vulnerable to Denial of Service in Page Error Handling > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C` (5.5) ### Problem Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is the same as described in [TYPO3-CORE-SA-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005) ([CVE-2021-21359](https://nvd.nist.gov/vuln/detail/CVE-2021-21359)). A regression, introduced during TYPO3 v11 development, led to this situation. ### Solution Update to TYPO3 version 11.5.16 that fixes the problem described above. ### Credits Thanks to Rik Willems who reported this issue and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-006](https://typo3.org/security/advisory/typo3-core-sa-2022-006)
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00302 https://api.first.org/data/v1/epss?cve=CVE-2022-36104
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-fffr-7x4x-f98q
cvssv3.1 5.9 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36104.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36104.yaml
cvssv3.1 5.9 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36104.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36104.yaml
cvssv3.1 5.9 https://github.com/TYPO3/typo3
generic_textual MODERATE https://github.com/TYPO3/typo3
cvssv3.1 5.9 https://github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13
generic_textual MODERATE https://github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13
ssvc Track https://github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13
cvssv3.1 5.9 https://github.com/TYPO3/typo3/commit/fc51ccbf2bb8a8c959aa74cbceca124971e6e7fd
generic_textual MODERATE https://github.com/TYPO3/typo3/commit/fc51ccbf2bb8a8c959aa74cbceca124971e6e7fd
cvssv3.1 5.9 https://github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q
cvssv3.1_qr MODERATE https://github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q
generic_textual MODERATE https://github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q
ssvc Track https://github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2022-36104
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-36104
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-36104
cvssv3.1 5.9 https://typo3.org/security/advisory/typo3-core-sa-2022-006
generic_textual MODERATE https://typo3.org/security/advisory/typo3-core-sa-2022-006
ssvc Track https://typo3.org/security/advisory/typo3-core-sa-2022-006
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-36104
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36104.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36104.yaml
https://github.com/TYPO3/typo3
https://github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13
https://github.com/TYPO3/typo3/commit/fc51ccbf2bb8a8c959aa74cbceca124971e6e7fd
https://github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q
https://nvd.nist.gov/vuln/detail/CVE-2022-36104
https://typo3.org/security/advisory/typo3-core-sa-2022-006
cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*
GHSA-fffr-7x4x-f98q https://github.com/advisories/GHSA-fffr-7x4x-f98q
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-36104.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-36104.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/TYPO3/typo3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:00:50Z/ Found at https://github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/TYPO3/typo3/commit/fc51ccbf2bb8a8c959aa74cbceca124971e6e7fd
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:00:50Z/ Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36104
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36104
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://typo3.org/security/advisory/typo3-core-sa-2022-006
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:00:50Z/ Found at https://typo3.org/security/advisory/typo3-core-sa-2022-006
Exploit Prediction Scoring System (EPSS)
Percentile 0.53008
EPSS Score 0.00302
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:23:13.201621+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-fffr-7x4x-f98q/GHSA-fffr-7x4x-f98q.json 36.1.3