• Component Type: TYPO3 CMS
• Subcomponent: URL Routing (ext:core)
• Release Date: July 25, 2023
• Vulnerability Type: Information Disclosure
• Affected Versions: 9.4.0-9.5.41, 10.0.0-10.4.38, 11.0.0-11.5.29, 12.0.0-12.4.3
• Severity: Low
• Suggested CVSS:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
• References:CVE-2023-38499, CWE-200

Problem Description

In multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available.

Solution

Update to TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 that fix the problem described above.

Strong security defaults - Manual actions required

Resolving sites by the id and L HTTP query parameters is now denied per default. However, it is still allowed to resolve a particular page by e.g. example.org - as long as the page-id 123 is in the scope of the site configured for the base-url example.org.

The new feature flag security.frontend.allowInsecureSiteResolutionByQueryParameters - which is disabled per default - can be used to reactivate the previous behavior.

Credits

Thanks to Garvin Hicking who reported this issue, and to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.