CVE-2024-22188 - authenticated remote code execution in TYPO3

Abstract

TYPO3 <=11.5.32 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in a form field of the Settings dialog.

Attack Vector

A Typo3 Admin with system maintainer Privileges can execute arbitrary shell commands on the respective server. A form field in the Settings dialog is prone to command injection.

Proof of Concept Details

To exploit this vulnerability, open Admintools => Settings => Configure Installation Wide options and set the value of

[GFX][processor_stripColorProfileCommand] to +profile '*'; <exploit_code>#

Then execute the injected code by clicking Admintools => Environment => Image Processing => Test Images.

Timeline

• day 0 pentest for undisclosed customer
• day 14 issue was reported to Typo3
• day 14 CVE was requested with MITRE
• day 14 Typo3 acknowledged the issue
• day 15 MITRE issued CVE-2024-22188
• day 39 Typo3 released fixed versions

Credit

djo@mioso.com

Links

• MITRE CVE Record
• Typo3 advisory
• Github advisory