GHSA-r287-hc8j-w56h: TYPO3 Information Disclosure Vulnerability Exploitable by Editors
6.5
CVSS Score
3.1
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms | composer | >= 6.2.0, < 6.2.14 | 6.2.14 |
| typo3/cms | composer | >= 7.0.0, < 7.3.1 | 7.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The security patch adds explicit checks for storage UID 0 in the init() method, indicating this was the vulnerable entry point. The vulnerability stemmed from the method's failure to restrict access to the fallback storage (UID 0), which represented the document root. The function's original logic allowed folder object resolution for storage 0 without proper authorization checks, enabling information disclosure through the filelist module interface.