CVE-2024-25120

CVSS V2 None CVSS V3 None

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.

Overview

CVE ID
CVE-2024-25120

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-02-13T22:15:13.294Z

Last Modified Date
2024-06-04T17:35:11.339Z

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html
CWE-284	http://cwe.mitre.org/data/definitions/284.html

References

Reference URL	Reference Tags
https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c	x_refsource_CONFIRM
https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references	x_refsource_MISC
https://typo3.org/security/advisory/typo3-core-sa-2024-005	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-25120
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25120

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 12:33:49				Added to TrackCVE