BIT-typo3-2023-30451

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/typo3/BIT-typo3-2023-30451.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-typo3-2023-30451

Aliases

Published

2024-03-06T11:08:11.111Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sysfilestorage]*[data][sDEF][lDEF][basePath][vDEF].

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:typo3:typo3:11.5.24:*:*:*:*:*:*:*"
    ]
}

References

http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html

Affected packages

Bitnami / typo3

Package

Name: typo3
Purl: pkg:bitnami/typo3

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

11.5.24

Last affected

11.5.24