Miggo Logo
Miggo Vulnerability Database
GHSA-wvvp-jwf5-qcpc

GHSA-wvvp-jwf5-qcpc: TYPO3 Information Disclosure in Page Tree

4.3

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-wvvp-jwf5-qcpc
EPSS Score
-
CWE
CWE-200
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cms-corecomposer>= 9.0.0, < 9.5.69.5.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper access control in the page tree rendering mechanism. The PageTreeRepository::getTreeData method is responsible for fetching and constructing the page tree structure displayed in the backend. In affected versions, this function likely failed to properly integrate backend user permissions checks when retrieving page nodes, resulting in pages being visible to users without read access. The fix in v9.5.6 would have added proper permission checks (likely using TYPO3's PagePermission system) during tree data retrieval. The confidence is high because this component is directly responsible for page tree presentation and matches the described vulnerability pattern of missing authorization checks in tree rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It **s ***n *is*ov*r** ***k*n* us*rs not **vin* r*** ****ss to sp**i*i* p***s still *oul* s** t**m in t** p*** tr** w*i** **tu*lly s*oul* ** *is*llow**. * v*li* ***k*n* us*r ***ount is n***** in or**r to *xploit t*is vuln*r**ility.

Reasoning

T** vuln*r**ility st*ms *rom improp*r ****ss *ontrol in t** p*** tr** r*n**rin* m****nism. T** `P***Tr**R*pository::**tTr****t*` m*t*o* is r*sponsi*l* *or **t**in* *n* *onstru*tin* t** p*** tr** stru*tur* *ispl*y** in t** ***k*n*. In *****t** v*rsion