CVE-2022-23503

Description

### Problem Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it was possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item (known as [`formDefinitionOverrides`](https://docs.typo3.org/c/typo3/cms-form/main/en-us/I/Concepts/FrontendRendering/Index.html#form-element-properties)) and a valid backend user account with access to the form module are needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1 that fix the problem described above. ### References * [TYPO3-CORE-SA-2022-015](https://typo3.org/security/advisory/typo3-core-sa-2022-015)

How to fix CVE-2022-23503

To remediate CVE-2022-23503, upgrade the affected package to a fixed version below.

• —upgrade to 8.7.49 or later
• —upgrade to 10.4.33 or later
• —upgrade to 8.7.49 or later

Is CVE-2022-23503 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 8.0.0, < 8.7.49, >= 9.0.0, < 9.5.38, >= 10.0.0, < 10.4.33, >= 11.0.0, < 11.5.20, >= 12.0.0, < 12.1.1
• >= 10.0.0, < 10.4.33
• >= 8.0.0, < 8.7.49

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23503
• PATCHgithub.com/TYPO3/typo3
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2022-23503.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23503.yaml