CVE-2021-21359 MEDIUM

CVE-2021-21359: Denial of Service in Page Error Handling

Vendor Typo3
Product TYPO3.CMS
Weakness CWE-674
Published March 23, 2021
Last update August 3, 2024

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This is fixed in versions 9.5.25, 10.4.14, 11.1.1.

Key dates

02Disclosure timeline

March 23, 2021 CVE published
August 3, 2024 Record updated