Information Disclosure

2023-07-2713:38:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

typo3

cms-core

information disclosure

vulnerability

uri

query parameters

restricted

attacker

crafted

url

publicly available

internal site

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

23.7%

JSON

typo3/cms-core is vulnerable to Information Disclosure. The vulnerability exists because calling an URI with page-id query parameters that are not part of a particular site is not properly restricted which allows an attacker to add crafted query parameters to the URL of publicly available sites and access the content of an internal site.

CPENameOperatorVersion
typo3/cms-corelev10.4.37
typo3/cms-corelev11.5.29
typo3/cms-corelev9.5.31
typo3/cms-corelev12.4.3
typo3/cms-corelev10.4.37
typo3/cms-corelev11.5.29
typo3/cms-corelev9.5.31
typo3/cms-corelev12.4.3

Name	Operator	Version
typo3/cms-core	le	v10.4.37
typo3/cms-core	le	v11.5.29
typo3/cms-core	le	v9.5.31
typo3/cms-core	le	v12.4.3
typo3/cms-core	le	v10.4.37
typo3/cms-core	le	v11.5.29
typo3/cms-core	le	v9.5.31
typo3/cms-core	le	v12.4.3