CVE-2022-23504

MEDIUM

TYPO3 < 9.5.38, 10.4.33, 11.5.20, 12.1.1 - Sensitive Information Disclosure via YAML Placeholder Expressions

Title source: llm

Description

TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr

Scores

CVSS v3 5.7

EPSS 0.0051

EPSS Percentile 39.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-917 CWE-200

Status published

Products (3)

typo3/cms 10.0.0 - 10.4.33Packagist

typo3/cms-core 9.0.0 - 9.5.38Packagist

typo3/typo3 9.0.0 - 9.5.38

Published Dec 14, 2022

Tracked Since Feb 18, 2026