cbcvebase.
CVE-2023-30451
published 2023-12-25

CVE-2023-30451: In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the…

PriorityP434medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EXPLOIT
EPSS
1.16%
63.2th percentile
In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].

Affected

7 ranges
VendorProductVersion rangeFixed in
typo3cms-core>= 10.0.0 < 10.4.4310.4.43
typo3cms-core>= 11.0.0 < 11.5.3511.5.35
typo3cms-core>= 12.0.0 < 12.4.1112.4.11
typo3cms-core>= 13.0.0 < 13.0.113.0.1
typo3cms-core>= 8.0.0 < 8.7.578.7.57
typo3cms-core>= 9.0.0 < 9.5.469.5.46
typo3typo3
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.