CVE-2024-25121Sensitive Information Exposure in Typo3

CWE-200Sensitive Information ExposureCWE-284Improper Access Control4 documents4 sources
Severity
7.1HIGHNVD
EPSS
0.3%
top 46.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Typo3Typo3 Cms-core
Timeline
PublishedFeb 13

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web r

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

NVDtypo3/typo38.0.08.7.57+5
Packagisttypo3/cms-core8.0.08.7.57+5
CVEListV5typo3/typo36 versions+5

🔴Vulnerability Details

3
OSV
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler2024-02-13
GHSA
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler2024-02-13
CVEList
Improper Access Control Persisting File Abstraction Layer Entities via Data Handler in TYPO32024-02-13
CVE-2024-25121 — Sensitive Information Exposure | cvebase