PT-2021-14442 · Typo3 · Typo3

Kay Strobach

Published

2021-03-23

Updated

2024-03-06

CVE-2021-21359

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 9.5.25 TYPO3 versions prior to 10.4.14 TYPO3 versions prior to 11.1.1

Description The issue arises when requesting invalid or non-existing resources via HTTP, triggering the page error handler. This handler can retrieve content from another page to be shown as an error message, leading to a recursive application call that amplifies the initial attack's impact until the web server's limits are exceeded.

Recommendations Update to version 9.5.25 to resolve the issue. Update to version 10.4.14 to resolve the issue. Update to version 11.1.1 to resolve the issue.

Exploit

Fix

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674CWE-405

Related Identifiers

BIT-TYPO3-2021-21359

CVE-2021-21359

GHSA-4P9G-QGX9-397P

Affected Products

Typo3

PT-2021-14442 · Typo3 · Typo3

CVE-2021-21359

Weakness Enumeration

Related Identifiers

Affected Products

References · 11