CVE-2024-22188

TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w	Vendor Advisory
https://typo3.org/security/advisory/typo3-core-sa-2024-002	Vendor Advisory
https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w	Vendor Advisory
https://typo3.org/help/security-advisories	Vendor Advisory
https://typo3.org/security/advisory/typo3-core-sa-2024-002	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3:13.0.0:::::::*

History

15 Sep 2025, 17:21

Type	Values Removed	Values Added
References	~~() https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w -~~	() https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w - Vendor Advisory
References	~~() https://typo3.org/security/advisory/typo3-core-sa-2024-002 -~~	() https://typo3.org/security/advisory/typo3-core-sa-2024-002 - Vendor Advisory
References	~~() https://typo3.org/help/security-advisories -~~	() https://typo3.org/help/security-advisories - Vendor Advisory
First Time		Typo3 typo3 Typo3
CPE		cpe:2.3:a:typo3:typo3:13.0.0:::::::* cpe:2.3:a:typo3:typo3::::::::

Information

Published : 2024-03-05 02:15

Updated : 2025-09-15 17:21

NVD link : CVE-2024-22188

Mitre link : CVE-2024-22188

CVE.ORG link : CVE-2024-22188

JSON object : View

Products Affected

typo3

typo3

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-22188", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-03-05T02:15:27.443", "references": [{"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://typo3.org/security/advisory/typo3-core-sa-2024-002", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://typo3.org/help/security-advisories", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://typo3.org/security/advisory/typo3-core-sa-2024-002", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1."}, {"lang": "es", "value": "TYPO3 anterior a 13.0.1 permite a un usuario administrador autenticado (con privilegios de mantenimiento del sistema) ejecutar comandos de shell arbitrarios (con los privilegios del servidor web) a trav\u00e9s de una vulnerabilidad de inyecci\u00f3n de comandos en los campos de formulario de la herramienta de instalaci\u00f3n. Las versiones fijas son 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS y 13.0.1."}], "lastModified": "2025-09-15T17:21:54.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D27B5B1C-F807-411B-BCA1-112C85BDC3E5", "versionEndExcluding": "8.7.57", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1F52D81-C2B7-4AFE-A99E-7E40E0751082", "versionEndExcluding": "9.5.46", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCF72A1A-60DD-4588-8E90-B5D6D84854A9", "versionEndExcluding": "10.4.43", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAE0085D-3BA8-4076-BAB0-04BBB118A78D", "versionEndExcluding": "11.5.35", "versionStartIncluding": "11.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D518ED7-F1C8-4836-B3D8-4D228A48F314", "versionEndExcluding": "12.4.11", "versionStartIncluding": "12.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:13.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E20E3F5E-8C2B-4AC1-A3E3-B428710A5480"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}