logo

Database

Enabled default configuration In typo3/cms-core

Description

Information Disclosure due to Out-of-scope Site Resolution

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (3.5)

Problem

In multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available.

Solution

Update to TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 that fix the problem described above.

ℹ️ Strong security defaults - Manual actions required Resolving sites by the id and L HTTP query parameters is now denied per default. However, it is still allowed to resolve a particular page by e.g. https://example.org/?id=123&L=0 - as long as the page-id 123 is in the scope of the site configured for the base-url example.org. The new feature flag security.frontend.allowInsecureSiteResolutionByQueryParameters - which is disabled per default - can be used to reactivate the previous behavior.

Credits

Thanks to Garvin Hicking who reported this issue, and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-384992. NVD-2023-384993. OSV-2023-384994. GHSA-jq6g-4v5m-wm9r5. GCVE-2023-38499

References

1. https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r2. https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a3. https://typo3.org/security/advisory/typo3-core-sa-2023-003

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.