Information Disclosure in typo3/cms-install tool

2023-11-1420:34:26

Google

osv.dev

typo3

information disclosure

install tool

transient data directory

composer-based

version 12.4.8

markus klein

security advisory

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.6%

JSON

> ### CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (3.5)

Problem

The login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected.

Solution

Update to TYPO3 version 12.4.8 that fixes the problem described above.

Credits

Thanks to Markus Klein who reported and fixed the issue.

References

TYPO3-CORE-SA-2023-005

CPENameOperatorVersion
typo3/cms-installeq12.3.0
typo3/cms-installeq12.4.2
typo3/cms-installeq12.2.0
typo3/cms-installeq12.4.0
typo3/cms-installeq12.4.3
typo3/cms-installeq12.4.1
typo3/cms-installeq12.4.6
typo3/cms-installeq12.4.5
typo3/cms-installeq12.4.4
typo3/cms-installeq12.4.7

Name	Operator	Version
typo3/cms-install	eq	12.3.0
typo3/cms-install	eq	12.4.2
typo3/cms-install	eq	12.2.0
typo3/cms-install	eq	12.4.0
typo3/cms-install	eq	12.4.3
typo3/cms-install	eq	12.4.1
typo3/cms-install	eq	12.4.6
typo3/cms-install	eq	12.4.5
typo3/cms-install	eq	12.4.4
typo3/cms-install	eq	12.4.7