In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html | Third Party Advisory VDB Entry |
Configurations
History
03 Jan 2024, 21:02
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.9 |
CPE | cpe:2.3:a:typo3:typo3:11.5.24:*:*:*:*:*:*:* | |
First Time |
Typo3 typo3
Typo3 |
|
CWE | CWE-22 | |
References | () http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html - Third Party Advisory, VDB Entry |
26 Dec 2023, 20:34
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
25 Dec 2023, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-25 05:15
Updated : 2024-01-03 21:02
NVD link : CVE-2023-30451
Mitre link : CVE-2023-30451
CVE.ORG link : CVE-2023-30451
JSON object : View
Products Affected
typo3
- typo3
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')