漏洞标题
HTTP 主机头在 Typo3 的请求处理中的漏洞
漏洞描述信息
Typo3请求处理中的HTTP Host Header注入
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
漏洞类别
N/A
漏洞标题
HTTP Host Header Injection in Request Handling in Typo3
漏洞描述信息
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment. This vulnerability is the same as described in TYPO3-CORE-SA-2014-001 (CVE-2014-3941). A regression, introduced during TYPO3 v11 development, led to this situation. The already existing setting $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] (used as an effective mitigation strategy in previous TYPO3 versions) was not evaluated anymore, and reintroduced the vulnerability.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
漏洞类别
输入验证不恰当
漏洞标题
TYPO3 安全漏洞
漏洞描述信息
TYPO3是瑞士TYPO3(Typo3)协会的一套免费开源的内容管理系统(框架)(CMS/CMF)。 TYPO3 v11版本存在安全漏洞,该漏洞源于缺少对于HTTP主机报头的有效验证,TYPO3 CMS很容易受到主机欺骗。
CVSS信息
N/A
漏洞类别
其他