GHSA-77p4-wfr8-977w

Source

https://github.com/advisories/GHSA-77p4-wfr8-977w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-77p4-wfr8-977w/GHSA-77p4-wfr8-977w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-77p4-wfr8-977w

Aliases

CVE-2019-19848

Published

2022-05-24T17:03:52Z

Modified

2024-04-25T21:57:36.052836Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

TYPO3 Directory Traversal on ZIP extraction

Details

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)

Database specific

{
    "nvd_published_at": "2019-12-17T17:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T21:35:12Z"
}

References

Affected packages

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.2.2

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.7.30

Affected versions

v8.*

v8.7.7

v8.7.8

v8.7.9

v8.7.10

v8.7.11

v8.7.12

v8.7.13

v8.7.14

v8.7.15

v8.7.16

v8.7.17

v8.7.18

v8.7.19

v8.7.20

v8.7.21

v8.7.22

v8.7.23

v8.7.24

v8.7.25

v8.7.26

v8.7.27

v8.7.28

v8.7.29

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.5.12

Affected versions

v9.*

v9.0.0

v9.1.0

v9.2.0

v9.2.1

v9.3.0

v9.3.1

v9.3.2

v9.3.3

v9.4.0

v9.5.0

v9.5.1

v9.5.2

v9.5.3

v9.5.4

v9.5.5

v9.5.6

v9.5.7

v9.5.8

v9.5.9

v9.5.10

v9.5.11

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.2.2

Affected versions

v10.*

v10.0.0

v10.1.0

v10.2.0

v10.2.1

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.7.30

Affected versions

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.2.0

8.2.1

8.3.0

8.3.1

8.4.0

8.4.1

8.5.0

8.5.1

8.6.0

8.6.1

8.7.0

8.7.1

8.7.2

v8.*

v8.7.3

v8.7.4

v8.7.5

v8.7.6

v8.7.7

v8.7.8

v8.7.9

v8.7.10

v8.7.11

v8.7.12

v8.7.13

v8.7.14

v8.7.15

v8.7.16

v8.7.17

v8.7.18

v8.7.19

v8.7.20

v8.7.21

v8.7.22

v8.7.23

v8.7.24

v8.7.25

v8.7.26

v8.7.27

v8.7.28

v8.7.29

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.5.12

Affected versions

v9.*

v9.0.0

v9.1.0

v9.2.0

v9.2.1

v9.3.0

v9.3.1

v9.3.2

v9.3.3

v9.4.0

v9.5.0

v9.5.1

v9.5.2

v9.5.3

v9.5.4

v9.5.5

v9.5.6

v9.5.7

v9.5.8

v9.5.9

v9.5.10

v9.5.11