CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L
EPSS
Percentile
38.7%
Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors.
A valid backend user account having administrator privileges is needed to exploit this vulnerability.
Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.
github.com/advisories/GHSA-8w3p-qh3x-6gjr
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23504.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23504.yaml
github.com/TYPO3/typo3/commit/d1e627ff7eef07bd94c53db861e85977b203900a
github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr
nvd.nist.gov/vuln/detail/CVE-2022-23504
typo3.org/security/advisory/typo3-core-sa-2022-016