CVE-2024-22188
📋 TL;DR
This CVE describes a command injection vulnerability in TYPO3's Install Tool that allows authenticated admin users with system maintainer privileges to execute arbitrary shell commands with web server privileges. The vulnerability affects TYPO3 versions before the patched releases. Attackers can gain remote code execution on affected systems.
💻 Affected Systems
- TYPO3 CMS
📦 What is this software?
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
Typo3 by Typo3
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Authenticated attackers with admin privileges gain remote code execution, potentially leading to data theft, website defacement, or further system compromise.
If Mitigated
With proper access controls limiting admin privileges and network segmentation, impact is contained to the web application layer.
🎯 Exploit Status
Exploitation requires admin credentials but is straightforward once authenticated. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 depending on your version
Vendor Advisory: https://typo3.org/security/advisory/typo3-core-sa-2024-002
Restart Required: No
Instructions:
1. Identify your TYPO3 version. 2. Upgrade to the appropriate patched version for your release line. 3. Clear TYPO3 caches after upgrade. 4. Verify the Install Tool no longer accepts malicious input.
🔧 Temporary Workarounds
Disable Install Tool Access
linuxRestrict access to the Install Tool by removing or password-protecting the /typo3/install.php file
mv /path/to/typo3/install.php /path/to/typo3/install.php.disabled
chmod 000 /path/to/typo3/install.php
Restrict Admin Privileges
allReview and limit system maintainer privileges to only essential users
🧯 If You Can't Patch
- Restrict network access to TYPO3 admin interface using firewall rules
- Implement web application firewall (WAF) rules to block command injection patterns
🔍 How to Verify
Check if Vulnerable:
Check TYPO3 version in Admin Panel or via composer show typo3/cms-coreCheck Version:
composer show typo3/cms-core | grep versionVerify Fix Applied:
Verify version is 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual shell command execution in web server logs
- Multiple failed login attempts to admin interface followed by Install Tool access
- Suspicious POST requests to /typo3/install.php with shell metacharacters
Network Indicators:
- Unusual outbound connections from web server to command & control servers
- Unexpected process spawning from web server user
SIEM Query:
source="web_logs" AND uri="/typo3/install.php" AND (method="POST" OR params CONTAINS "|" OR params CONTAINS ";" OR params CONTAINS "`" OR params CONTAINS "$")🔗 References
- https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w
- https://typo3.org/security/advisory/typo3-core-sa-2024-002
- https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w
- https://typo3.org/help/security-advisories
- https://typo3.org/security/advisory/typo3-core-sa-2024-002
