CVE-2023-38499 LOW

CVE-2023-38499: typo3/cms-core Information Disclosure due to Out-of-scope Site Resolution

Vendor Typo3

Product typo3

Weakness CWE-200 · Info exposure

Published July 25, 2023

Last update October 15, 2024

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.

Key dates

Disclosure timeline

July 25, 2023 CVE published

October 15, 2024 Record updated

Identifiers

CVE CVE-2023-38499

CWE CWE-200

CVSS 3.7 / LOW

Affected versions

Vendor Typo3

Product typo3

Affected >= 9.4.0, < 9.5.42

Vendor Typo3

Product typo3

Affected >= 10.0.0, < 10.4.39

Vendor Typo3

Product typo3

Affected >= 11.0.0, < 11.5.30

Vendor Typo3

Product typo3

Affected >= 12.0.0, < 12.4.4