CVE-2023-24814 Overview
CVE-2023-24814 is a persistent cross-site scripting (XSS) vulnerability [CWE-79] affecting TYPO3, an open-source Content Management Framework. The flaw resides in the TYPO3 core component GeneralUtility::getIndpEnv(), which uses the unfiltered server environment variable PATH_INFO. When combined with the TypoScript setting config.absRefPrefix=auto, attackers can inject malicious HTML into pages that have not yet been rendered and cached. Injected payloads are then cached and delivered to subsequent website visitors. Apache web server deployments using CGI (FPM, FCGI/FastCGI) are confirmed affected, with potential exposure to nginx, IIS, and Apache/mod_php configurations.
Critical Impact
Attackers can persistently inject HTML and script payloads into cached TYPO3 pages, allowing session theft, credential harvesting, and arbitrary client-side code execution against all subsequent visitors.
Affected Products
- TYPO3 versions prior to 8.7.51 ELTS
- TYPO3 versions prior to 9.5.40 ELTS and 10.4.35 LTS
- TYPO3 versions prior to 11.5.23 LTS and 12.2.0
Discovery Timeline
- 2023-02-07 - CVE-2023-24814 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-24814
Vulnerability Analysis
The vulnerability stems from how TYPO3 processes the PATH_INFO server environment variable within GeneralUtility::getIndpEnv(). This function returns request metadata used throughout the framework, including the resolved value of SCRIPT_NAME. Under CGI-based PHP execution, attackers control PATH_INFO by appending arbitrary content to the request URL. TYPO3 incorporated this attacker-controlled value into the TypoScriptFrontendController::$absRefPrefix property when the TypoScript directive config.absRefPrefix=auto was configured. The unsanitized prefix was then concatenated into HTML output as a URI prefix for links, images, and resources. Because TYPO3 caches rendered pages, the first request carrying a malicious PATH_INFO poisons the cache, and the injected payload is served to every following visitor.
Root Cause
The root cause is improper neutralization of input during web page generation. GeneralUtility::getIndpEnv() trusted PATH_INFO without filtering, and TypoScriptFrontendController::$absRefPrefix was emitted into HTML without context-aware encoding. Both an input-trust failure and an output-encoding failure had to coincide for exploitation.
Attack Vector
An attacker crafts a URL containing HTML or JavaScript appended to a TYPO3 endpoint, targeting any uncached page. TYPO3 resolves the malicious PATH_INFO, builds an absRefPrefix containing attacker markup, and renders the page. The poisoned response is stored in the page cache and replayed to all visitors until the cache expires. Exploitation requires user interaction (visiting the poisoned page) and works across origin boundaries through the cached response.
// Patch excerpt: typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
// [SECURITY] Prevent XSS due to wrong PATH_INFO evaluation
protected static function getPathThisScriptNonCli()
{
if (Environment::isRunningOnCgiServer() && !Environment::usesCgiFixPathInfo()) {
throw new \Exception('TYPO3 does only support being used with cgi.fix_pathinfo=1 on CGI server APIs.', 1675108421);
}
return $_SERVER['SCRIPT_FILENAME'];
}
// Patch excerpt: typo3/sysext/core/Classes/Http/NormalizedParams.php
$scriptNameOnFileSystem = self::determineScriptName(
$serverParams,
$configuration,
$isHttps,
$isBehindReverseProxy
);
$scriptName = $this->scriptName = self::encodeFileSystemPathComponentForUrlPath($scriptNameOnFileSystem);
Source: TYPO3 Security Commit 0005a6f
Detection Methods for CVE-2023-24814
Indicators of Compromise
- Web server access logs containing HTML tags, angle brackets, or JavaScript event handlers within the PATH_INFO portion of URLs requested against TYPO3 endpoints.
- Cached TYPO3 page content where <base>, <a>, or asset URLs contain injected script fragments or unexpected attribute payloads.
- Repeated requests to uncached pages from a single source immediately preceding wide distribution of a poisoned page.
Detection Strategies
- Inspect TYPO3 cf_cache_pages and cf_cache_pagesection tables for stored HTML containing executable script content or unexpected absRefPrefix values.
- Deploy WAF signatures that block URL paths containing <, >, ", or javascript: sequences appended after the script name in TYPO3 routes.
- Correlate Apache, nginx, or IIS access logs with cache write events to identify cache poisoning attempts.
Monitoring Recommendations
- Alert on TYPO3 instances where config.absRefPrefix=auto is configured in TypoScript, as these are directly exposed.
- Monitor for outbound JavaScript references from CMS-rendered pages to unknown third-party domains.
- Track PHP execution mode and CGI configuration (cgi.fix_pathinfo) across web server inventory to identify exposed deployments.
How to Mitigate CVE-2023-24814
Immediate Actions Required
- Upgrade TYPO3 to a patched release: 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS, or 12.2.0.
- Flush all TYPO3 page caches after patching to remove any payloads stored prior to remediation.
- Audit TypoScript configurations for config.absRefPrefix=auto and convert them to static values.
Patch Information
The official fix is delivered in commit 0005a6fd86ab97eff8bf2e3a5828bf0e7cb6263a. It removes use of PATH_INFO from GeneralUtility::getIndpEnv() and applies context-appropriate encoding to TypoScriptFrontendController::$absRefPrefix for both URI and HTML output. Full details are available in the TYPO3 Core Security Advisory TYPO3-CORE-SA-2023-001 and the GitHub Security Advisory GHSA-r4f8-f93x-5qh3.
Workarounds
- Set config.absRefPrefix to a static path such as config.absRefPrefix=/ instead of auto. This mitigates the most prominent manifestation but does not address all aspects of the vulnerability.
- Restrict CGI/FastCGI execution where feasible and validate that cgi.fix_pathinfo is set to 1 to align with TYPO3 patched behavior.
- Place a reverse proxy or WAF in front of TYPO3 to strip or reject request paths containing HTML metacharacters.
# TypoScript intermediate mitigation
config.absRefPrefix = /
# php.ini hardening for CGI deployments
cgi.fix_pathinfo = 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
