CVE-2022-23503 HIGH

CVE-2022-23503: TYPO3 vulnerable to Arbitrary Code Execution via Form Framework

Vendor Typo3

Product typo3

Weakness CWE-94 · Code injection

Published December 14, 2022

Last update April 18, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Key dates

Disclosure timeline

December 14, 2022 CVE published

April 18, 2025 Record updated

Identifiers

CVE CVE-2022-23503

CWE CWE-94

CVSS 7.5 / HIGH

Affected versions

Vendor Typo3

Product typo3

Affected >= 8.0.0, < 8.7.49

Vendor Typo3

Product typo3

Affected >= 9.0.0, < 9.5.38

Vendor Typo3

Product typo3

Affected >= 10.0.0, < 10.4.33

Vendor Typo3

Product typo3

Affected >= 11.0.0, < 11.5.20

Vendor Typo3

Product typo3

Affected >= 12.0.0, < 12.1.1