First published: Tue Feb 07 2023(Updated: )
TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/typo3/cms | >=10.0.0<10.4.35>=11.0.0<11.5.23>=12.0.0<12.2.0 | |
composer/typo3/cms-core | >=10.0.0<10.4.35>=11.0.0<11.5.23>=12.0.0<12.2.0 | |
Typo3 Typo3 | >=8.7.0<9.7.51 | |
Typo3 Typo3 | >=9.0.0<9.5.40 | |
Typo3 Typo3 | >=10.0.0<10.4.36 | |
Typo3 Typo3 | >=11.0.0<11.5.23 | |
Typo3 Typo3 | >=12.0.0<12.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
TYPO3-CORE-SA-2023-001 is a vulnerability in TYPO3 that allows attackers to inject malicious content through the unfiltered server environment variable PATH_INFO in the GeneralUtility::getIndpEnv() component.
The TYPO3-CORE-SA-2023-001 vulnerability affects TYPO3 versions 8.7.0 to 9.7.51, 9.0.0 to 9.5.40, 10.0.0 to 10.4.35, 11.0.0 to 11.5.23, and 12.0.0 to 12.2.0.
The severity of the TYPO3-CORE-SA-2023-001 vulnerability is rated as high, with a severity value of 6.1.
To fix the TYPO3-CORE-SA-2023-001 vulnerability, update TYPO3 CMS or TYPO3 CMS-Core to versions 10.4.36, 11.5.24, or 12.2.1, or apply the provided patches.
More information about the TYPO3-CORE-SA-2023-001 vulnerability can be found in the TYPO3 security advisory TYPO3-CORE-SA-2023-001, the TYPO3 documentation, and the TYPO3 GitHub repository.