CVE-2023-24814 – Persisted Cross-Site Scripting in Frontend Rendering in typo3

https://notcve.org/view.php?id=CVE-2023-24814

07 Feb 2023 — TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and... • https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Setup/Config/Index.html#absrefprefix • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •