GHSA-p2jh-95jg-2w55

Source

https://github.com/advisories/GHSA-p2jh-95jg-2w55

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-p2jh-95jg-2w55/GHSA-p2jh-95jg-2w55.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p2jh-95jg-2w55

Aliases

Published

2023-11-14T20:34:26Z

Modified

2024-02-16T07:54:45.354775Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Information Disclosure in typo3/cms-install tool

Details

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (3.5)

Problem

The login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected.

Solution

Update to TYPO3 version 12.4.8 that fixes the problem described above.

Credits

Thanks to Markus Klein who reported and fixed the issue.

References

TYPO3-CORE-SA-2023-005

Database specific

{
    "nvd_published_at": "2023-11-14T20:15:08Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-14T20:34:26Z"
}

References

Affected packages

Packagist / typo3/cms-install

Package

Name: typo3/cms-install
Purl: pkg:composer/typo3/cms-install

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.2.0

Fixed

12.4.8

Affected versions

v12.*

v12.2.0

v12.3.0

v12.4.0

v12.4.1

v12.4.2

v12.4.3

v12.4.4

v12.4.5

v12.4.6

v12.4.7