CVE-2022-36104: 
PHP vulnerability analysis and mitigation

CVE-2022-36104 affects TYPO3, an open-source PHP-based web content management system. The vulnerability was discovered in September 2022 and affects TYPO3 versions 11.4.0-11.5.15. This security issue is related to the page error handling functionality in TYPO3's core and frontend components (TYPO3 Advisory).

The vulnerability is classified as a Denial of Service issue with a CVSS v3.1 base score of 5.5 (Medium severity). The attack vector is Network-based with High attack complexity, requiring No privileges and No user interaction, with an Unchanged scope and High impact on availability. The vulnerability occurs when requesting invalid or non-existing resources via HTTP, which triggers the page error handler. This handler attempts to retrieve content from another page to display as an error message, potentially creating a recursive call scenario (GitHub Advisory).

When exploited, this vulnerability can lead to a denial of service condition where the application calls itself recursively, amplifying the impact of the initial attack until the web server's limits are exceeded. This can result in the system becoming unresponsive or unavailable (TYPO3 Advisory).

The vulnerability has been fixed in TYPO3 version 11.5.16. System administrators are strongly advised to update to this version or later to address the security issue. The fix prevents the recursive call scenario by implementing additional checks in the page error handler (TYPO3 Advisory).

The vulnerability was reported by Rik Willems and fixed by TYPO3 core & security team member Oliver Hader. It was noted that this vulnerability is actually a regression of a previously fixed issue (CVE-2021-21359) that was accidentally reintroduced during TYPO3 v11 development (GitHub Advisory).