CVE-2021-41114 — Improper Input Validation in Typo3

CWE-20 — Improper Input Validation CWE-644 — Improper Neutralization of HTTP Headers for Scripting Syntax4 documents4 sources

Severity

5.3MEDIUMNVD

CNA5.0GHSA5.0OSV5.0

EPSS

0.3%

top 47.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 CMS Typo3 Cms-core

Timeline

PublishedOct 5

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment. This vulnerability is the same as descri…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Packagisttypo3/cms-core11.0.0 — 11.5.0

▶Packagisttypo3/cms11.0.0 — 11.5.0

▶NVDtypo3/typo311.0.0 — 11.5.0

▶CVEListV5typo3/typo3>= 11.0.0, < 11.5.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

HTTP Host Header Injection↗2021-10-05

▶

CVEList

HTTP Host Header Injection in Request Handling in Typo3↗2021-10-05

▶

OSV

HTTP Host Header Injection↗2021-10-05

▶