TYPO3 Broken Access Control in Localization Handling

2024-05-3015:47:57

Google

osv.dev

typo3

access control

localization

vulnerability

backend user

7 High

AI Score

Confidence

Low

JSON

It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

CPENameOperatorVersion
typo3/cms-coreeq8.7.11
typo3/cms-coreeq8.7.7
typo3/cms-coreeq8.7.9
typo3/cms-coreeq8.7.10
typo3/cms-coreeq8.7.8
typo3/cms-coreeq8.7.14
typo3/cms-coreeq8.7.15
typo3/cms-coreeq8.7.12
typo3/cms-coreeq8.7.20
typo3/cms-coreeq8.7.13

Name	Operator	Version
typo3/cms-core	eq	8.7.11
typo3/cms-core	eq	8.7.7
typo3/cms-core	eq	8.7.9
typo3/cms-core	eq	8.7.10
typo3/cms-core	eq	8.7.8
typo3/cms-core	eq	8.7.14
typo3/cms-core	eq	8.7.15
typo3/cms-core	eq	8.7.12
typo3/cms-core	eq	8.7.20
typo3/cms-core	eq	8.7.13

Rows per page:

1-10 of 161

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-01-22-3.yaml

github.com/TYPO3-CMS/core

github.com/TYPO3-CMS/core/commit/64b1b5dc2f7cacb2ba39b74081f4179d6393b2bf

typo3.org/security/advisory/typo3-core-sa-2019-003

7 High

AI Score

Confidence

Low

JSON