CVE-2024-25120

Improper Access Control of Resources Referenced by t3:// URI Scheme in TYPO3

CVSS 4.3 MEDIUMEPSS 0.5%CWE-200 CWE-284

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.3EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

13 feb 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Productos afectados

TYPO3 · typo3

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c https://typo3.org/security/advisory/typo3-core-sa-2024-005