CVE-2024-55892 MEDIUM

CVE-2024-55892: Potential Open Redirect via Parsing Differences in TYPO3

Vendor Typo3

Product typo3

Weakness CWE-601 · Open redirect

Published January 14, 2025

Last update January 14, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

Description

TYPO3 is a free and open source Content Management Framework. Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. Users are advised to update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 LTS, 12.4.25 LTS, 13.4.3 which fix the problem described. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

January 14, 2025 CVE published

January 14, 2025 Record updated

Identifiers

CVE CVE-2024-55892

CWE CWE-601

CVSS 4.8 / MEDIUM

Affected versions

Vendor Typo3

Product typo3

Affected >= 9.0.0, < 9.5.49

Vendor Typo3

Product typo3

Affected >= 10.0.0, < 10.4.48

Vendor Typo3

Product typo3

Affected >= 11.0.0, < 11.5.42

Vendor Typo3

Product typo3

Affected >= 12.0.0, < 12.4.25

Vendor Typo3

Product typo3

Affected >= 13.0.0, < 13.4.3