CVE-2024-25120
Description
TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific t3:// URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 8.0.0, < 8.7.57 | 8.7.57 |
typo3/cms-corePackagist | >= 9.0.0, < 9.5.46 | 9.5.46 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.43 | 10.4.43 |
typo3/cms-corePackagist | >= 11.0.0, < 11.5.35 | 11.5.35 |
typo3/cms-corePackagist | >= 12.0.0, < 12.4.11 | 12.4.11 |
typo3/cms-corePackagist | >= 13.0.0, < 13.0.1 | 13.0.1 |
Affected products
2Patches
Vulnerability mechanics
References
8- docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.htmlnvdThird Party AdvisoryWEB
- github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7cnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-wf85-8hx9-gj7cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-25120ghsaADVISORY
- typo3.org/security/advisory/typo3-core-sa-2024-005nvdVendor AdvisoryWEB
- github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6ghsaWEB
- github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68fghsaWEB
- github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cddghsaWEB
News mentions
0No linked articles in our index yet.