Typo3 Information Disclosure in Page Tree

2024-06-0517:21:19

Google

osv.dev

typo3

information disclosure

page tree

backend users

vulnerability

access control.

6.8 Medium

AI Score

Confidence

Low

JSON

It has been discovered backend users not having read access to specific pages still could see them in the page tree which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

CPENameOperatorVersion
typo3/cmseq9.0.0
typo3/cmseq9.3.0
typo3/cmseq9.3.1
typo3/cmseq9.4.0
typo3/cmseq9.5.2
typo3/cmseq9.5.4
typo3/cmseq9.3.3
typo3/cmseq9.5.3
typo3/cmseq9.2.0
typo3/cmseq9.5.5

Name	Operator	Version
typo3/cms	eq	9.0.0
typo3/cms	eq	9.3.0
typo3/cms	eq	9.3.1
typo3/cms	eq	9.4.0
typo3/cms	eq	9.5.2
typo3/cms	eq	9.5.4
typo3/cms	eq	9.3.3
typo3/cms	eq	9.5.3
typo3/cms	eq	9.2.0
typo3/cms	eq	9.5.5

Rows per page:

1-10 of 151

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-05-07-4.yaml

github.com/TYPO3/typo3

typo3.org/security/advisory/typo3-core-sa-2019-009

6.8 Medium

AI Score

Confidence

Low

JSON