Description

TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Remediation

References

CVE-2022-23504

Related Vulnerabilities

Python URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2016-1000110)

WordPress Plugin WP-Lister Lite for Amazon Cross-Site Scripting (2.4.3)

WordPress Plugin Inline Call To Action Builder Lite-Free Call To Action Layer for WordPress includes Backdoor [Only if downloaded via the vendor website] (1.1.0)

WordPress Plugin WBW Currency Switcher for WooCommerce Cross-Site Scripting (1.6.5)

WordPress Plugin Arlo training and event management system Cross-Site Scripting (2.1.7.1)

Severity

Medium

Classification

CVE-2022-23504 CWE-138 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities