Description

In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].

Remediation

References

CVE-2023-30451

Related Vulnerabilities

WordPress Plugin Flog Server-Side Request Forgery (1.0beta3)

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Cross-Site Scripting (1.6.4)

Dolphin Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-4333)

Joomla CVE-2021-23132 Vulnerability (CVE-2021-23132)

MediaWiki Other Vulnerability (CVE-2005-1888)

Severity

Medium

Classification

CVE-2023-30451 CWE-22 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities