TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.
References
Link | Resource |
---|---|
https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6a | Patch |
https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9r | Vendor Advisory |
https://typo3.org/security/advisory/typo3-core-sa-2023-003 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-07-25T20:54:41.648Z
Updated: 2023-07-25T20:54:41.648Z
Reserved: 2023-07-18T16:28:12.076Z
Link: CVE-2023-38499
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-07-25T21:15:10.997
Modified: 2023-08-02T19:11:12.320
Link: CVE-2023-38499
JSON object: View
Redhat Information
No data.