GoogleOSV:GHSA-JQ6G-4V5M-WM9RInformation Disclosure due to Out-of-scope Site Resolution
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
23.7%
> ### CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (3.5)
Problem
In multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available.
Solution
Update to TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 that fix the problem described above.
> âšī¸ Strong security defaults - Manual actions required
> Resolving sites by the id and L HTTP query parameters is now denied per default. However, it is still allowed to resolve a particular page by e.g. https://example.org/?id=123&L=0 - as long as the page-id 123 is in the scope of the site configured for the base-url example.org.
> The new feature flag security.frontend.allowInsecureSiteResolutionByQueryParameters - which is disabled per default - can be used to reactivate the previous behavior.
Credits
Thanks to Garvin Hicking who reported this issue, and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.
References
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
23.7%