VYPR
High severity7.1NVD Advisory· Published Feb 13, 2024· Updated Jun 17, 2026

CVE-2024-25121

CVE-2024-25121

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via DataHandler. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, sys_file entities are now denied by default, and sys_file_reference & sys_file_metadata entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using $dataHandler->isImporting = true;.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
typo3/cms-corePackagist
>= 8.0.0, < 8.7.578.7.57
typo3/cms-corePackagist
>= 9.0.0, < 9.5.469.5.46
typo3/cms-corePackagist
>= 10.0.0, < 10.4.4310.4.43
typo3/cms-corePackagist
>= 11.0.0, < 11.5.3511.5.35
typo3/cms-corePackagist
>= 12.0.0, < 12.4.1112.4.11
typo3/cms-corePackagist
>= 13.0.0, < 13.0.113.0.1

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.