logo

Database

Enabled default configuration In typo3/cms-install

Description

Information Disclosure in typo3/cms-install tool

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (3.5)

Problem

The login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected.

Solution

Update to TYPO3 version 12.4.8 that fixes the problem described above.

Credits

Thanks to Markus Klein who reported and fixed the issue.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-471262. NVD-2023-471263. OSV-2023-471264. GHSA-p2jh-95jg-2w555. GCVE-2023-47126

References

1. https://github.com/TYPO3/typo3/security/advisories/GHSA-p2jh-95jg-2w552. https://github.com/TYPO3/typo3/commit/1a735dac01ec7b337ed0d80c738caa8967dea4233. https://typo3.org/security/advisory/typo3-core-sa-2023-005

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.