CVE-2022-23503 — Code Injection in Typo3

CWE-94 — Code Injection4 documents4 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

0.5%

top 33.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 CMS Typo3 Cms-core

Timeline

PublishedDec 14

Description

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with ac…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Packagisttypo3/cms10.0.0 — 10.4.33+2

▶NVDtypo3/typo38.0.0 — 8.7.49+4

▶Packagisttypo3/cms-core8.0.0 — 8.7.49+4

▶CVEListV5typo3/typo35 versions+4

🔴Vulnerability Details

CVEList

TYPO3 vulnerable to Arbitrary Code Execution via Form Framework↗2022-12-14

▶

GHSA

TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework↗2022-12-13

▶

OSV

TYPO3 CMS vulnerable to Arbitrary Code Execution via Form Framework↗2022-12-13

▶