CVE-2022-23504

MEDIUM

Typo3 < 9.5.38 - Information Disclosure

Title source: rule

Description

TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

References (1)

[Third Party Advisory] https://github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr

Scores

CVSS v3 5.7

EPSS 0.0031

EPSS Percentile 54.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-917 CWE-200

Status published

Products (3)

typo3/cms 10.0.0 - 10.4.33Packagist

typo3/cms-core 9.0.0 - 9.5.38Packagist

typo3/typo3 9.0.0 - 9.5.38

Published Dec 14, 2022

Tracked Since Feb 18, 2026