Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-38499

TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.

Published

2023-07-25T21:15:10.997

Last Modified

2024-11-21T08:13:42.133

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	typo3	typo3	< 9.5.42	Yes
Application	typo3	typo3	< 10.4.39	Yes
Application	typo3	typo3	< 11.5.30	Yes
Application	typo3	typo3	< 12.4.4	Yes

References

https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a Patch ([email protected])
https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r Vendor Advisory ([email protected])
https://typo3.org/security/advisory/typo3-core-sa-2023-003 Vendor Advisory ([email protected])
https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://typo3.org/security/advisory/typo3-core-sa-2023-003 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)