CVE-2023-30451: Path Traversal
First published: Mon Dec 25 2023(Updated: )
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w6x2-jg8h-p6mp. This link is maintained to preserve external references. ## Original Description In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST `/typo3/record/edit` with `../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]`.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Typo3 Typo3 | =11.5.24 | |
| composer/typo3/cms-core | =11.5.24 | |
| composer/typo3/cms-core | =13.0.0 | 13.0.1 |
| composer/typo3/cms-core | >=12.0.0<=12.4.10 | 12.4.11 |
| composer/typo3/cms-core | >=11.0.0<=11.5.34 | 11.5.35 |
| composer/typo3/cms-core | >=10.0.0<=10.4.42 | 10.4.43 |
| composer/typo3/cms-core | >=9.0.0<=9.5.45 | 9.5.46 |
| composer/typo3/cms-core | >=8.0.0<=8.7.56 | 8.7.57 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-30451
- https://github.com/advisories/GHSA-3gjc-mp82-fj4q (Advisory)
- https://github.com/TYPO3/typo3/security/advisories/GHSA-w6x2-jg8h-p6mp
- https://typo3.org/security/advisory/typo3-core-sa-2024-001
- https://github.com/TYPO3/typo3/commit/205115cca3d67594a12d0195c937da0e51eb494a
- https://github.com/TYPO3/typo3/commit/78fb9287a2f0487c39288070cb0493a5265f1789
- https://github.com/TYPO3/typo3/commit/accf537c7379b4359bc0f957c4d0c07baddd710a
- https://github.com/advisories/GHSA-w6x2-jg8h-p6mp (Advisory)
- collector/mitre-cve
- agent/author
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- collector/github-advisory
- source/GitHub
- alias/GHSA-3gjc-mp82-fj4q
- alias/CVE-2023-30451
- collector/nvd-cve
- collector/github-advisory-latest
- agent/severity
- agent/references
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/description
- agent/event
- alias/GHSA-w6x2-jg8h-p6mp
- vendor/typo3
- canonical/typo3 typo3
- version/typo3 typo3/11.5.24
- package-manager/composer