CVE-2022-23504

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1

Description The issue is related to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module. This allows attackers to expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account with administrator privileges is needed to exploit this issue.

Recommendations Update to TYPO3 versions 9.5.38 ELTS, 10.4.33, 11.5.20, or 12.1.1 to fix the problem. As a temporary workaround, consider restricting access to the site configuration backend module for users with administrator privileges until a patch is applied. Avoid using the YAML placeholder expressions feature in the site configuration backend module until the issue is resolved.