In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html | Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2023-12-25T00:00:00
Updated: 2023-12-25T05:02:47.293044
Reserved: 2023-04-08T00:00:00
Link: CVE-2023-30451
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-25T05:15:08.553
Modified: 2024-01-03T21:02:47.050
Link: CVE-2023-30451
JSON object: View
Redhat Information
No data.
CWE