Persisted Cross-Site Scripting in Frontend Rendering in typo3
CVE-2023-24814

8.8HIGH

Key Information:

Vendor: Typo3
Status: Typo3
Vendor: CVE Published:; 7 February 2023

What is CVE-2023-24814?

A cross-site scripting (XSS) vulnerability exists in the TYPO3 Content Management Framework due to the improper handling of the server environment variable PATH_INFO. Malicious actors can exploit this weakness, especially when the TypoScript setting config.absRefPrefix=auto is enabled, leading to unauthorized HTML code being executed on user’s browsers. Injected values may not only affect individual sessions but can also be cached and serve other visitors, compromising site security. TYPO3 users are urged to upgrade their installations to secure versions or implement temporary mitigation strategies, such as changing config.absRefPrefix to a fixed static path, though this is not a comprehensive fix.

Affected Version(s)

typo3 >= 8.7.0, < 8.7.51 < 8.7.0, 8.7.51

typo3 >= 9.0.0, < 9.5.40 < 9.0.0, 9.5.40

typo3 >= 10.0.0, < 10.4.36 < 10.0.0, 10.4.36

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-r...

x_refsource_CONFIRM

https://github.com/TYPO3/typo3/commit/0005a6fd86ab97eff8b...

x_refsource_MISC

https://docs.typo3.org/m/typo3/reference-typoscript/main/...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 7, 2023
Vulnerability Reserved
Jan 30, 2023

Typo3

What is CVE-2023-24814?

Affected Version(s)

References

CVSS V3.1

Timeline