CVE-2024-25120
Last modified
CVE-2024-25120 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. EPSS estimates a 0.55% chance of exploitation in the next 30 days.
Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Typo3 | Typo3 | >= 8.0.0, < 8.7.57 |
| Typo3 | Typo3 | >= 9.0.0, < 9.5.46 |
| Typo3 | Typo3 | >= 10.0.0, < 10.4.43 |
| Typo3 | Typo3 | >= 11.0.0, < 11.5.35 |
| Typo3 | Typo3 | >= 12.0.0, < 12.4.11 |
| Typo3 | Typo3 | 13.0.0 |
References
- https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7cThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2024-005Vendor Advisory
- https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7cThird Party Advisory
- https://typo3.org/security/advisory/typo3-core-sa-2024-005Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-25120?
How severe is CVE-2024-25120?
How do I fix CVE-2024-25120?
Are you affected by CVE-2024-25120?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST