TYPO3 vulnerable to Arbitrary Code Execution via Form Framework
CVE-2022-23503

7.5HIGH

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 14 December 2022

What is CVE-2022-23503?

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Affected Version(s)

typo3 >= 8.0.0, < 8.7.49 < 8.0.0, 8.7.49

typo3 >= 9.0.0, < 9.5.38 < 9.0.0, 9.5.38

typo3 >= 10.0.0, < 10.4.33 < 10.0.0, 10.4.33

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-c...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2022
Vulnerability Reserved
Jan 19, 2022

Typo3

What is CVE-2022-23503?

Affected Version(s)

References

CVSS V3.1

Timeline