TYPO3 FrontEnd Content Exposure via id/L Params 9.412.4 (Fixed)
CVE-2023-38499 Published on July 25, 2023
typo3/cms-core Information Disclosure due to Out-of-scope Site Resolution
TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.
Vulnerability Analysis
CVE-2023-38499 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2023-38499 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2023-38499
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
typo3:- Version >= 9.4.0, < 9.5.42 is affected.
- Version >= 10.0.0, < 10.4.39 is affected.
- Version >= 11.0.0, < 11.5.30 is affected.
- Version >= 12.0.0, < 12.4.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.