CVE-2022-23503

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1

Description The issue concerns a Code Injection vulnerability in the Form Designer backend module of TYPO3, an open source PHP based web content management system. Due to the lack of separation between user-submitted data and internal configuration, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item, such as formDefinitionOverrides, and a valid backend user account with access to the form module are needed to exploit this vulnerability.

Recommendations Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, or 12.1.1 to fix the issue. As a temporary workaround, consider restricting access to the Form Designer backend module to minimize the risk of exploitation. Avoid using individual TypoScript instructions for particular form items until the issue is resolved.