SCA: security update for typo3/cms, typo3/cms-core (GHSA-m2jh-fxw4-gphm)

medium Tenable Self-Hosted Container Security Plugin ID 416657

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been
discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host
header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend
rendering process. Since the host header itself is provided by the client, it can be forged to any value,
even in a name-based virtual hosts environment. This vulnerability is the same as described in TYPO3-CORE-
SA-2014-001 (CVE-2014-3941). A regression, introduced during TYPO3 v11 development, led to this situation.
The already existing setting $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] (used as an
effective mitigation strategy in previous TYPO3 versions) was not evaluated anymore, and reintroduced the
vulnerability. (CVE-2021-41114)

See Also

https://github.com/advisories/GHSA-m2jh-fxw4-gphm

Plugin Details

Severity: Medium

ID: 416657

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2021-41114

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/5/2021

Vulnerability Publication Date: 10/5/2021

Reference Information

CVE: CVE-2021-41114