5.3

CVE-2023-38499

typo3/cms-core Information Disclosure due to Out-of-scope Site Resolution

TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Typo3Typo3 Version >= 9.4.0 < 9.5.42
Typo3Typo3 Version >= 10.0.0 < 10.4.39
Typo3Typo3 Version >= 11.0.0 < 11.5.30
Typo3Typo3 Version >= 12.0.0 < 12.4.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.88% 0.543
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a
Patch
https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r
Vendor Advisory
https://typo3.org/security/advisory/typo3-core-sa-2023-003
Vendor Advisory