CVE-2021-41114

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to the fix of the regression introduced during TYPO3 v11 development

Description The issue is related to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses this header to generate absolute URLs, but since it is provided by the client, it can be forged. A regression during TYPO3 v11 development led to this vulnerability, as the existing setting $GLOBALS['TYPO3 CONF VARS']['SYS']['trustedHostsPattern'] was not evaluated anymore.

Recommendations For versions prior to the fix of the regression introduced during TYPO3 v11 development, ensure the setting $GLOBALS['TYPO3 CONF VARS']['SYS']['trustedHostsPattern'] is properly evaluated to mitigate the host spoofing issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.