CVE-2022-23504 Vulnerability Details

  /     /     /  

CVE-2022-23504 Metadata Quick Info

CVE Published: 14/12/2022 | CVE Updated: 03/08/2024 | CVE Year: 2022
Source: GitHub_M | Vendor: TYPO3 | Product: typo3
Status : PUBLISHED

---

CVE-2022-23504 Description

TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.

Metrics

CVSS Version: 3.1 | Base Score: 5.7 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* HIGH
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* LOW
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-200
CWE Name: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Source: TYPO3

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).