CVE-2023-38499

2023-07-2521:15:10

Google

osv.dev

typo3

web cms

out-of-scope access

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.7%

JSON

TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.

CPENameOperatorVersion
typo3eq11.3.0
typo3eq8.5.0
typo3eq11.5.3
typo3eq10.4.0
typo3eqTYPO3_7-3-0
typo3eqTYPO3_8-0-0
typo3eqTYPO3_6-2-0beta2
typo3eqTYPO3_6-1-0rc1
typo3eq11.5.2
typo3eq7.6.1

Name	Operator	Version
typo3	eq	11.3.0
typo3	eq	8.5.0
typo3	eq	11.5.3
typo3	eq	10.4.0
typo3	eq	TYPO3_7-3-0
typo3	eq	TYPO3_8-0-0
typo3	eq	TYPO3_6-2-0beta2
typo3	eq	TYPO3_6-1-0rc1
typo3	eq	11.5.2
typo3	eq	7.6.1