Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. typo3/cms-core
  4. ›
  5. CVE-2024-22188

CVE-2024-22188: TYPO3 Install Tool vulnerable to Code Execution

February 13, 2024 (updated September 15, 2025)

Problem

Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions.

The corresponding change for this advisory involves enforcing the known disadvantages described in TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode.

Solution

Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

Credits

Thanks to Rickmer Frier & Daniel Jonka who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

References

  • TYPO3-CORE-SA-2024-002

References

  • github.com/TYPO3/typo3
  • github.com/TYPO3/typo3/commit/47e897f8c7668ef299ecc9ce93f52cafbb3497ed
  • github.com/TYPO3/typo3/commit/6cc11761b8e2434fa4ccc9f096c65ca82569cfdf
  • github.com/TYPO3/typo3/commit/84e07e35b880a544b517868432c56987d05d46d4
  • github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w
  • github.com/advisories/GHSA-5w2h-59j3-8x5w
  • nvd.nist.gov/vuln/detail/CVE-2024-22188
  • typo3.org/help/security-advisories
  • typo3.org/security/advisory/typo3-core-sa-2024-002
  • typo3.org/security/advisory/typo3-psa-2020-002

Code Behaviors & Features

Detect and mitigate CVE-2024-22188 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 8.0.0 before 8.7.57, all versions starting from 9.0.0 before 9.5.46, all versions starting from 10.0.0 before 10.4.43, all versions starting from 11.0.0 before 11.5.35, all versions starting from 12.0.0 before 12.4.11, all versions starting from 13.0.0 before 13.0.1, version 13.0.0

Fixed versions

  • 8.7.57
  • 9.5.46
  • 10.4.43
  • 11.5.35
  • 12.4.11
  • 13.0.1

Solution

Upgrade to versions 10.4.43, 11.5.35, 12.4.11, 13.0.1, 8.7.57, 9.5.46 or above.

Impact 7.2 HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')

Source file

packagist/typo3/cms-core/CVE-2024-22188.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Mon, 22 Sep 2025 12:18:04 +0000.