GHSA-3gjc-mp82-fj4q – typo3/cms-core

Package

Manager: composer
Name: typo3/cms-core
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Duplicate Advisory: TYPO3 Arbitrary File Read via Directory Traversal ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w6x2-jg8h-p6mp. This link is maintained to preserve external references. ## Original Description In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST `/typo3/record/edit` with `../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]`.

Metadata

Created: 2023-12-25T06:30:20Z
Modified: 2024-02-13T19:07:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-3gjc-mp82-fj4q/GHSA-3gjc-mp82-fj4q.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0