PT-2024-19263 · Typo3 · Typo3
Daniel Jonka
+1
·
Published
2024-02-13
·
Updated
2025-09-15
·
CVE-2024-22188
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
TYPO3 versions 8.7.0 through 8.7.56 ELTS
TYPO3 versions 9.5.0 through 9.5.45 ELTS
TYPO3 versions 10.4.0 through 10.4.42 ELTS
TYPO3 versions 11.5.0 through 11.5.34 LTS
TYPO3 versions 12.4.0 through 12.4.10 LTS
TYPO3 versions prior to 13.0.1
Description
The issue allows an authenticated admin user with system maintainer privileges to execute arbitrary shell commands with the privileges of the web server via a command injection vulnerability in form fields of the Install Tool. This requires an administrator-level backend user account with system maintainer permissions.
Recommendations
Update to TYPO3 version 8.7.57 ELTS
Update to TYPO3 version 9.5.46 ELTS
Update to TYPO3 version 10.4.43 ELTS
Update to TYPO3 version 11.5.35 LTS
Update to TYPO3 version 12.4.11 LTS
Update to TYPO3 version 13.0.1
Fix
Command Injection
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Typo3