CVE-2023-38499— typo3/cms-core Information Disclosure due to Out-of-scope Site Resolution

CVSS 3.7 · Low EPSS 2.11% · P84 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-38499

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

typo3/cms-core Information Disclosure due to Out-of-scope Site Resolution

Source: NVD (National Vulnerability Database)

Vulnerability Description

TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters `id` and `L` allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

信息暴露

Source: NVD (National Vulnerability Database)

Vulnerability Title

TYPO3 信息泄露漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

TYPO3是瑞士TYPO3协会的一套免费开源的内容管理系统(框架)(CMS/CMF)。 TYPO3存在信息泄露漏洞，该漏洞源于允许攻击者将查询参数添加到网站url来访问内部内容，从而导致信息泄露。受影响的产品和版本：TYPO3 9.4.0至9.5.42 ELTS之前版本，10.4.39 ELTS版本之前版本，11.5.30版本之前版本，12.4.4版本之前版本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
TYPO3	typo3	>= 9.4.0, < 9.5.42	-

II. Public POCs for CVE-2023-38499

#	POC Description	Source Link	Shenlong Link
1	None	https://github.com/miguelc49/CVE-2023-38499-2	POC Details
2	None	https://github.com/miguelc49/CVE-2023-38499-1	POC Details
3	None	https://github.com/miguelc49/CVE-2023-38499-3	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-38499

请登录查看更多情报信息。

https://typo3.org/security/advisory/typo3-core-sa-2023-003x_refsource_MISC
https://github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9rx_refsource_CONFIRM
https://github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6ax_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-38499

IV. Related Vulnerabilities

Same product: typo3

Same vendor: TYPO3

Same weakness: CWE-200

V. Comments for CVE-2023-38499

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-38499— typo3/cms-core Information Disclosure due to Out-of-scope Site Resolution

I. Basic Information for CVE-2023-38499

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-38499

III. Intelligence Information for CVE-2023-38499

IV. Related Vulnerabilities

V. Comments for CVE-2023-38499

Leave a comment