CVE-2024-22188

HIGH

TYPO3 < 8.7.57 - Authenticated Command Injection via Install Tool Form Fields

Title source: llm

Description

TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1.

References (3)

Core 3

Core References

Vendor Advisory

https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w

Vendor Advisory

https://typo3.org/security/advisory/typo3-core-sa-2024-002

Vendor Advisory

https://typo3.org/help/security-advisories

Scores

CVSS v3 7.2

EPSS 0.0069

EPSS Percentile 72.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (3)

typo3/cms-core 8.0.0 - 8.7.57Packagist

typo3/typo3 13.0.0

typo3/typo3 8.0.0 - 8.7.57

Published Mar 05, 2024

Tracked Since Feb 18, 2026