CVE-2022-23504

MEDIUM

Typo3 < 9.5.38 - Information Disclosure

Title source: rule

Description

TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

References (1)

[Third Party Advisory] https://github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr

Scores

CVSS v3 5.7

EPSS 0.0031

EPSS Percentile 54.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

Classification

CWE

CWE-917 CWE-200

Status published

Affected Products (3)

typo3/typo3 < 9.5.38

typo3/cms-core < 9.5.38Packagist

typo3/cms < 10.4.33Packagist

Timeline

Published Dec 14, 2022

Tracked Since Feb 18, 2026