Kevin Andrews

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.51 ELTS TYPO3 versions prior to 9.5.40 ELTS TYPO3 versions prior to 10.4.35 LTS TYPO3 versions prior to 11.5.23 LTS TYPO3 versions prior to 12.2.0 **Description** The TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors, resulting in persisted cross-site scripting. Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT NAME')` and corresponding usages are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod php are vulnerable. **Recommendations** Update to TYPO3 version 8.7.51 ELTS to fix the issue. Update to TYPO3 version 9.5.40 ELTS to fix the issue. Update to TYPO3 version 10.4.35 LTS to fix the issue. Update to TYPO3 version 11.5.23 LTS to fix the issue. Update to TYPO3 version 12.2.0 to fix the issue. For users who are unable to patch in a timely manner, the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround does not fix all aspects of the vulnerability, and is just considered to be an intermediate mitigation to the most prominent manifestation.