CVE-2022-23503

Published: Dec 14, 2022

Modified: Apr 18, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Vendor	Product	Versions
TYPO3	typo3	affected `>= 8.0.0, < 8.7.49` affected `>= 9.0.0, < 9.5.38` affected `>= 10.0.0, < 10.4.33` affected `>= 11.0.0, < 11.5.20` affected `>= 12.0.0, < 12.1.1`

Weaknesses (CWE)

CWE-94

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-23503

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References