CVE-2023-38499
LowCVSS 3.7Exploitation Probability (EPSS)
Elevated risk54th percentile — higher than 54% of all known CVEs
Summary
TYPO3 is a PHP-based content management system that had a vulnerability in versions from 9.4.0 to 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, allowing out-of-scope access to content in multi-site scenarios. This enabled visitors to access internal site content by manipulating HTTP query parameters in the URL.
Risk Assessment
Organizations may be exposed to unauthorized access to sensitive content, potentially leading to data leaks or privacy violations. Possible consequences include loss of user trust and legal issues related to data protection.
Recommendation
It is recommended to update TYPO3 to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, or 12.4.4 to mitigate this vulnerability. Additionally, conducting a security audit of the application is advisable to identify other potential threats.
Original NVD description (English source)
TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.

