CVE-2014-3941 — Improper Input Validation in CMS

CWE-20 — Improper Input Validation CWE-644 — Improper Neutralization of HTTP Headers for Scripting Syntax6 documents4 sources

Severity

5.0MEDIUMNVD

EPSS

0.3%

top 48.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3 Cms-core Typo3

Timeline

PublishedJun 3

Latest updateMay 14

Description

TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing."

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶Packagisttypo3/cms4.5.0 — 4.5.34+5

▶Packagisttypo3/cms-core11.0.0 — 11.5.0

▶CVEListV5typo3/typo3>= 11.0.0, < 11.5.0

▶NVDtypo3/typo380 versions+79

🔴Vulnerability Details

OSV

Typo3 Host Header Spoofing Vulnerability↗2022-05-14

▶

GHSA

Typo3 Host Header Spoofing Vulnerability↗2022-05-14

▶

GHSA

HTTP Host Header Injection↗2021-10-05

▶

CVEList

HTTP Host Header Injection in Request Handling in Typo3↗2021-10-05

▶

CVEList

CVE-2014-3941: TYPO3 4↗2014-06-03

▶