logo

Database

Lack of data validation - Path Traversal In typo3/cms-core

Description

Duplicate Advisory: TYPO3 Arbitrary File Read via Directory Traversal

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-w6x2-jg8h-p6mp. This link is maintained to preserve external references.

Original Description

In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. NVD-2023-304512. GCVE-GHSA-3gjc-mp82-fj4q

References

1. http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.