CVE-2023-38499

Name of the Vulnerable Software and Affected Versions TYPO3 versions 9.4.0 through 9.5.41 ELTS TYPO3 versions 10.4.0 through 10.4.38 ELTS TYPO3 versions 11.5.0 through 11.5.29 TYPO3 versions 12.4.0 through 12.4.3

Description In multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available.

Recommendations Update to TYPO3 version 9.5.42 ELTS to fix the problem. Update to TYPO3 version 10.4.39 ELTS to fix the problem. Update to TYPO3 version 11.5.30 to fix the problem. Update to TYPO3 version 12.4.4 to fix the problem. As a temporary workaround, consider disabling the resolution of sites by the id and L HTTP query parameters until a patch is available. Note that the new feature flag security.frontend.allowInsecureSiteResolutionByQueryParameters can be used to reactivate the previous behavior, but it is disabled per default.