Описание
TYPO3 Information Disclosure Vulnerability Exploitable by Editors
It has been discovered, that editors with access to the file list module could list all files names and folder names in the root directory of a TYPO3 installation. Modification of files, listing further nested directories or retrieving file contents was not possible. A valid backend user account is needed to exploit this vulnerability.
Ссылки
- https://github.com/TYPO3/typo3/commit/d9caccb26c954834e7d43fbbe84a3130cc95524a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2015-07-01-4.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2015-005
- https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-005
Пакеты
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 6.2.0, < 6.2.14
6.2.14
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 7.0.0, < 7.3.1
7.3.1
6.5 Medium
CVSS3
Дефекты
CWE-200
6.5 Medium
CVSS3
Дефекты
CWE-200