CVE-2022-36104 MEDIUM

CVE-2022-36104: Denial of Service via Page Error Handling in TYPO3/cms

Vendor Typo3

Product typo3

Weakness CWE-770 · Uncontrolled resource consumption

Published September 13, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. Users are advised to update to TYPO3 version 11.5.16 to resolve this issue. There are no known workarounds for this issue.

Key dates

Disclosure timeline

September 13, 2022 CVE published

April 23, 2025 Record updated