Low severityNVD Advisory· Published Nov 14, 2023· Updated Aug 29, 2024

Information Disclosure in Install Tool in typo3/cms-install

CVE-2023-47126

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 install tool login screen discloses the full path of the transient data directory, affecting composer-based installations, fixed in version 12.4.8.

Vulnerability

Overview

The login screen of the TYPO3 standalone install tool discloses the full path of the transient data directory (e.g., /var/www/html/var/transient/). This information disclosure occurs because the application exposes the real filesystem path instead of a relative or placeholder path. The issue applies exclusively to composer-based TYPO3 installations; classic non-composer installations are not affected [1][4].

Exploitation

Prerequisites

An attacker can access the install tool login page without authentication. The full path is displayed directly on that page, requiring no additional privileges. However, the attack complexity is considered high because the install tool must be enabled and reachable over the network. The CVSSv3.1 score is 2.5 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [4].

Impact

The disclosed path reveals the underlying directory structure of the server, which could aid an attacker in crafting further attacks, such as path traversal or targeted file access. The vulnerability is classified as information disclosure (CWE-200) [4].

Mitigation

TYPO3 version 12.4.8 fixes the problem by replacing the disclosed path with a static string ('var/transient/' for composer mode, 'typo3conf/' otherwise) [3]. Users are advised to upgrade immediately. There are no known workarounds [1][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-installPackagist	>= 12.2.0, < 12.4.8	12.4.8

Affected products

osv-coords2 versions
pkg:bitnami/typo3 pkg:composer/typo3/cms-install
>= 12.2.0, < 12.4.8+ 1 more
- (no CPE)range: >= 12.2.0, < 12.4.8
- (no CPE)range: >= 12.2.0, < 12.4.8
TYPO3/Typo3v5
Range: >= 12.2.0, < 12.4.8

Patches

1a735dac01ec

[SECURITY] Do not display full path to ENABLE_INSTALL_TOOL file

https://github.com/TYPO3/typo3Markus KleinNov 14, 2023via ghsa

commit

2 files changed · +10 −3

typo3/sysext/install/Classes/Controller/LoginController.php+1 −3 modified

@@ -20,7 +20,6 @@
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use TYPO3\CMS\Core\Configuration\ConfigurationManager;
-use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
 use TYPO3\CMS\Core\Http\JsonResponse;
 use TYPO3\CMS\Install\Service\EnableFileService;
@@ -42,8 +41,7 @@ public function __construct(
     public function showEnableInstallToolFileAction(ServerRequestInterface $request): ResponseInterface
     {
         $view = $this->initializeView($request);
-        $path = str_replace(Environment::getPublicPath() . '/', '', dirname(EnableFileService::getBestLocationForInstallToolEnableFile())) . '/';
-        $view->assign('enableInstallToolPath', $path);
+        $view->assign('enableInstallToolPath', EnableFileService::getStaticLocationForInstallToolEnableFileDirectory());
         return new JsonResponse([
             'success' => true,
             'html' => $view->render('Login/ShowEnableInstallToolFile'),

typo3/sysext/install/Classes/Service/EnableFileService.php+9 −0 modified

@@ -158,6 +158,15 @@ protected static function extendInstallToolEnableFileLifetime()
         }
     }
 
+    /**
+     * Returns a static directory path that is suitable to be presented to
+     * unauthenticated visitors, in order to circumvent "Full Path Disclosure" issues.
+     */
+    public static function getStaticLocationForInstallToolEnableFileDirectory(): string
+    {
+        return Environment::isComposerMode() ? 'var/transient/' : 'typo3conf/';
+    }
+
     public static function getBestLocationForInstallToolEnableFile(): string
     {
         $possibleLocations = [

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p2jh-95jg-2w55ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-47126ghsaADVISORY
github.com/TYPO3/typo3/commit/1a735dac01ec7b337ed0d80c738caa8967dea423ghsax_refsource_MISCWEB
github.com/TYPO3/typo3/security/advisories/GHSA-p2jh-95jg-2w55ghsax_refsource_CONFIRMWEB
typo3.org/security/advisory/typo3-core-sa-2023-005ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000