CVE-2024-25120Sensitive Information Exposure in Typo3

CWE-200Sensitive Information ExposureCWE-284Improper Access Control4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Typo3Typo3 Cms-core
Timeline
PublishedFeb 13

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDtypo3/typo38.0.08.7.57+5
Packagisttypo3/cms-core8.0.08.7.57+5
CVEListV5typo3/typo36 versions+5

🔴Vulnerability Details

3
OSV
TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme2024-02-13
CVEList
Improper Access Control of Resources Referenced by t3:// URI Scheme in TYPO32024-02-13
GHSA
TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme2024-02-13
CVE-2024-25120 — Sensitive Information Exposure | cvebase