CVE-2022-36104 — Allocation of Resources Without Limits or Throttling in CMS

CWE-770 — Allocation of Resources Without Limits or Throttling4 documents4 sources

Severity

7.5HIGHNVD

CNA5.9

EPSS

0.6%

top 31.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3 Cms-core Typo3

Timeline

PublishedSep 13

Latest updateSep 16

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. Users are advised to update to TYPO3 ver…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Packagisttypo3/cms11.4.0 — 11.5.16

▶Packagisttypo3/cms-core11.4.0 — 11.5.16

▶NVDtypo3/typo311.4.0 — 11.5.15

▶CVEListV5typo3/typo3>= 11.4.0, < 11.5.16

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

TYPO3 CMS vulnerable to Denial of Service in Page Error Handling↗2022-09-16

▶

GHSA

TYPO3 CMS vulnerable to Denial of Service in Page Error Handling↗2022-09-16

▶

CVEList

Denial of Service via Page Error Handling in TYPO3/cms↗2022-09-13

▶