Low severity3.7NVD Advisory· Published Jul 25, 2023· Updated Jun 17, 2026
CVE-2023-38499
CVE-2023-38499
Description
TYPO3 is an open source PHP based web content management system. Starting in version 9.4.0 and prior to versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, and 12.4.4, in multi-site scenarios, enumerating the HTTP query parameters id and L allowed out-of-scope access to rendered content in the website frontend. For instance, this allowed visitors to access content of an internal site by adding handcrafted query parameters to the URL of a site that was publicly available. TYPO3 versions 9.5.42 ELTS, 10.4.39 ELTS, 11.5.30, 12.4.4 fix the problem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 9.4.0, < 9.5.42 | 9.5.42 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.39 | 10.4.39 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.30 | 11.5.30 |
typo3/cms-corePackagist | >= 12.0.0, < 12.4.4 | 12.4.4 |
Affected products
3- osv-coords2 versions
>= 9.4.0, < 9.5.42+ 1 more
- (no CPE)range: >= 9.4.0, < 9.5.42
- (no CPE)range: >= 9.4.0, < 9.5.42
Patches
Vulnerability mechanics
References
5- github.com/TYPO3/typo3/commit/702e2debd4b28f9cdb540544565fe6a8627ccb6anvdPatchWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-jq6g-4v5m-wm9rnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-jq6g-4v5m-wm9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38499ghsaADVISORY
- typo3.org/security/advisory/typo3-core-sa-2023-003nvdVendor AdvisoryWEB
News mentions
0No linked articles in our index yet.