CVE-2023-24814 Overview
CVE-2023-24814 is a persistent Cross-Site Scripting (XSS) vulnerability affecting the TYPO3 Content Management System. The vulnerability exists in the core component GeneralUtility::getIndpEnv(), which uses the unfiltered server environment variable PATH_INFO, allowing attackers to inject malicious content into rendered pages. When combined with the TypoScript setting config.absRefPrefix=auto, attackers can inject malicious HTML code into pages that have not yet been rendered and cached, resulting in the injected values being stored in cache and delivered to other website visitors.
Critical Impact
This persisted XSS vulnerability allows attackers to inject malicious scripts that are cached and served to all subsequent visitors, potentially leading to credential theft, session hijacking, and widespread compromise of website users.
Affected Products
- TYPO3 versions prior to 8.7.51 ELTS
- TYPO3 versions prior to 9.5.40 ELTS
- TYPO3 versions prior to 10.4.35 LTS
- TYPO3 versions prior to 11.5.23 LTS
- TYPO3 versions prior to 12.2.0
Discovery Timeline
- February 7, 2023 - CVE-2023-24814 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-24814
Vulnerability Analysis
The vulnerability stems from improper handling of the PATH_INFO server environment variable within the TYPO3 core utility functions. The GeneralUtility::getIndpEnv() function processes this variable without proper sanitization, creating an injection point for malicious content. When TYPO3 is configured with config.absRefPrefix=auto, the framework automatically generates URL prefixes based on server environment values. Since PATH_INFO is attacker-controllable in certain web server configurations, malicious HTML or JavaScript can be injected through crafted requests.
The vulnerability is particularly dangerous because it affects the caching mechanism. When an attacker successfully injects malicious content into an uncached page, TYPO3 stores the tainted output in its cache system. All subsequent visitors to that page receive the cached content containing the malicious payload, effectively transforming a reflected XSS into a persistent attack vector. Apache web server deployments using CGI interfaces (FPM, FCGI/FastCGI) are confirmed affected, though other configurations including nginx, IIS, or Apache/mod_php may also be vulnerable.
Root Cause
The root cause is the direct use of the unfiltered PATH_INFO server environment variable in GeneralUtility::getIndpEnv('SCRIPT_NAME') and related functions. The PATH_INFO variable can be manipulated by attackers through specially crafted HTTP requests, and the absence of input validation or output encoding allows malicious content to flow into the rendered HTML output. Additionally, the TypoScriptFrontendController::$absRefPrefix property lacked proper encoding for both URI and HTML contexts, enabling the XSS payload to execute in victim browsers.
Attack Vector
Attackers exploit this vulnerability by sending crafted HTTP requests containing malicious JavaScript or HTML in the URL path. The attack targets Apache CGI deployments where PATH_INFO is populated from the request URI. When a page is requested with a malicious PATH_INFO value and the page hasn't been cached yet, the injected content becomes part of the cached page output. The attack requires no authentication and only needs user interaction from victims who subsequently visit the compromised cached page.
The security patch addresses the vulnerability by removing reliance on PATH_INFO and enforcing cgi.fix_pathinfo=1 for CGI environments:
/**
- * Calculate path to entry script if not in cli mode.
- *
- * Depending on the environment, the script path is found in different $_SERVER variables.
+ * Return path to entry script if not in cli mode.
*
* @return string Absolute path to entry script
*/
protected static function getPathThisScriptNonCli()
{
- $isCgi = Environment::isRunningOnCgiServer();
- if ($isCgi && Environment::usesCgiFixPathInfo()) {
- return $_SERVER['SCRIPT_FILENAME'];
- }
- $cgiPath = $_SERVER['ORIG_PATH_TRANSLATED'] ?? $_SERVER['PATH_TRANSLATED'] ?? '';
- if ($cgiPath && $isCgi) {
- return $cgiPath;
+ if (Environment::isRunningOnCgiServer() && !Environment::usesCgiFixPathInfo()) {
+ throw new \Exception('TYPO3 does only support being used with cgi.fix_pathinfo=1 on CGI server APIs.', 1675108421);
}
- return $_SERVER['ORIG_SCRIPT_FILENAME'] ?? $_SERVER['SCRIPT_FILENAME'];
+
+ return $_SERVER['SCRIPT_FILENAME'];
}
Source: TYPO3 Security Commit
The fix also adds proper URL encoding for the script name:
$requestHost = $this->requestHost = ($isHttps ? 'https://' : 'http://') . $httpHost;
$requestHostOnly = $this->requestHostOnly = self::determineRequestHostOnly($httpHost);
$this->requestPort = self::determineRequestPort($httpHost, $requestHostOnly);
- $scriptName = $this->scriptName = self::determineScriptName(
+ $scriptNameOnFileSystem = self::determineScriptName(
$serverParams,
$configuration,
$isHttps,
$isBehindReverseProxy
);
+ $scriptName = $this->scriptName = self::encodeFileSystemPathComponentForUrlPath($scriptNameOnFileSystem);
$requestUri = $this->requestUri = self::determineRequestUri(
$serverParams,
$configuration,
Source: TYPO3 Security Commit
Detection Methods for CVE-2023-24814
Indicators of Compromise
- Unusual or malformed PATH_INFO values in web server access logs containing HTML tags or JavaScript
- Cached TYPO3 pages containing unexpected <script> tags or event handlers in page source
- Web Application Firewall (WAF) alerts for XSS patterns in URL paths
- Reports from users experiencing unexpected redirects or pop-ups on previously normal pages
Detection Strategies
- Implement WAF rules to detect and block XSS payloads in URL path components
- Monitor web server logs for requests with suspicious characters in PATH_INFO such as <, >, ", or '
- Conduct regular security scans of TYPO3 cache directories to identify potentially compromised cached content
- Deploy Content Security Policy headers to detect and report inline script execution attempts
Monitoring Recommendations
- Enable detailed request logging on web servers to capture full URI paths including PATH_INFO
- Configure alerting for anomalous patterns in TYPO3 cache generation activity
- Implement real-time log analysis to flag requests containing URL-encoded HTML entities in paths
- Use SentinelOne's web application monitoring to detect XSS exploitation attempts targeting TYPO3 installations
How to Mitigate CVE-2023-24814
Immediate Actions Required
- Update TYPO3 immediately to versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS, or 12.2.0 or later
- Clear all TYPO3 caches after applying the security update to remove potentially compromised cached content
- Review web server access logs for evidence of exploitation attempts prior to patching
- If unable to patch immediately, implement the temporary workaround described below
Patch Information
TYPO3 has released security patches that address this vulnerability by removing the usage of the PATH_INFO server environment variable from GeneralUtility::getIndpEnv() processing. Additionally, the TypoScriptFrontendController::$absRefPrefix property is now properly encoded for both URI component usage and HTML context. Users should upgrade to the fixed versions through the official TYPO3 distribution channels. Detailed patch information is available in the TYPO3 Security Advisory and the TYPO3 Core Security Advisory.
Workarounds
- Set config.absRefPrefix to a static path value instead of auto (e.g., config.absRefPrefix=/)
- Note: This workaround does NOT fix all aspects of the vulnerability and should only be used as an interim measure
- Configure web server to reject requests with suspicious PATH_INFO patterns containing HTML characters
- Consider placing a web application firewall in front of TYPO3 to filter malicious requests
# TypoScript configuration workaround (partial mitigation only)
# Add to your TypoScript setup to use a static path instead of auto-detection
config.absRefPrefix = /
# Apache mod_security rule to block XSS attempts in PATH_INFO
# Add to your Apache configuration or .htaccess
SecRule REQUEST_URI "@contains <script" "id:1001,phase:1,deny,status:403,msg:'XSS attempt in URI'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
