GMS-2022-8131: Duplicate of ./packagist/typo3/cms-core/CVE-2022-23504.yml

December 13, 2022

Problem

Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors.

A valid backend user account having administrator privileges is needed to exploit this vulnerability.

Solution

Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above.

References

TYPO3-CORE-SA-2022-016

References

github.com/TYPO3/typo3/commit/d1e627ff7eef07bd94c53db861e85977b203900a
github.com/TYPO3/typo3/security/advisories/GHSA-8w3p-qh3x-6gjr
github.com/advisories/GHSA-8w3p-qh3x-6gjr
typo3.org/security/advisory/typo3-core-sa-2022-016

Code Behaviors & Features

Detect and mitigate GMS-2022-8131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →