Lucene search

GoogleOSV:BIT-TYPO3-2023-47126

HistoryMar 06, 2024 - 11:07 a.m.

BIT-typo3-2023-47126

2024-03-0611:07:42

Google

osv.dev

typo3

open source

php

web content

management system

gnu gpl

security

vulnerability

disclosure

transient

data directory

composer

installation

upgrade

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CPENameOperatorVersion
typo3lt12.4.8
typo3ge12.2.0

CPE	Name	Operator	Version
	typo3	lt	12.4.8
	typo3	ge	12.2.0

References

github.com/TYPO3/typo3/commit/1a735dac01ec7b337ed0d80c738caa8967dea423

github.com/TYPO3/typo3/security/advisories/GHSA-p2jh-95jg-2w55

typo3.org/security/advisory/typo3-core-sa-2023-005

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON

Related for OSV:BIT-TYPO3-2023-47126