GHSA-f624-8hfq-5fh3: 
PHP vulnerability analysis and mitigation

A security vulnerability was discovered in TYPO3 CMS affecting versions 8.0.0-8.7.22 and 9.0.0-9.5.3, identified as TYPO3-CORE-SA-2019-001. The vulnerability was related to information disclosure of installed extensions through RequireJS package configuration mechanisms. The issue was discovered and reported on January 22, 2019, with a severity rating of Low (TYPO3 Advisory).

The vulnerability was found in the RequireJS package configuration component of TYPO3 CMS. The mechanisms used for configuration of RequireJS package loading were susceptible to information disclosure, allowing potential attackers to retrieve information about installed system and third-party extensions. The vulnerability received a CVSS v3.0 score suggesting Network attack vector with Low complexity, requiring No privileges and No user interaction (TYPO3 Advisory).

The vulnerability could allow attackers to discover information about installed system and third-party extensions in a TYPO3 installation. This information disclosure could potentially be used for reconnaissance purposes to identify specific extensions and their versions (GitHub Advisory).

The vulnerability was patched in TYPO3 versions 8.7.23 and 9.5.4. After updating, users are required to clear TYPO3 caches either using the TYPO3 Install Tool or the TYPO3 Console CLI tool. This cache clearing is necessary due to the introduction of new configuration settings (TYPO3 Advisory).