TYPO3 Information Disclosure Vulnerability Exploitable by Editors

2024-05-3021:08:18

CWE-200

GitHub Advisory Database

github.com

typo3

information disclosure

vulnerability

editors

file list module

root directory

backend user account

exploitable

AI Score

Confidence

Low

JSON

It has been discovered, that editors with access to the file list module could list all files names and folder names in the root directory of a TYPO3 installation. Modification of files, listing further nested directories or retrieving file contents was not possible. A valid backend user account is needed to exploit this vulnerability.

Affected configurations

Vulners

Node

typo3typo3_cmsRange7.0.0–7.3.1

typo3typo3_cmsRange6.2.0–6.2.14

VendorProductVersionCPE
typo3typo3_cms*cpe:2.3:a:typo3:typo3_cms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
typo3	typo3_cms	*	cpe:2.3:a:typo3:typo3_cms::::::::

References

github.com/advisories/GHSA-r287-hc8j-w56h

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2015-07-01-4.yaml

github.com/TYPO3/typo3/commit/d9caccb26c954834e7d43fbbe84a3130cc95524a

typo3.org/security/advisory/typo3-core-sa-2015-005

typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-005

AI Score

Confidence

Low

JSON