Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-23503

Date: December 14, 2022

TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Language: PHP

Severity Score

Related Resources (8)

https://github.com/TYPO3/typo3/commit/1302e88565821f2159e08b5d818d28de17ecc830
https://nvd.nist.gov/vuln/detail/CVE-2022-23503
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23503.yaml
https://typo3.org/security/advisory/typo3-core-sa-2022-015
https://github.com/TYPO3/typo3/security/advisories/GHSA-c5wx-6c2c-f7rm
https://github.com/TYPO3/typo3
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23503.yaml
https://www.mend.io/vulnerability-database/CVE-2022-23503

Severity Score

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us