Information Disclosure in Install Tool

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (3.5)

Problem

The login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected.

Solution

Update to TYPO3 version 12.4.8 that fixes the problem described above.

Credits

Thanks to Markus Klein who reported and fixed the issue.

References

TYPO3-CORE-SA-2023-005

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Information Disclosure in Install Tool

Package

Affected versions

Patched versions

Description

CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (3.5)

Problem

Solution

Credits

References

Severity

CVSS base metrics

CVE ID

Weaknesses

Credits

Information Disclosure in Install Tool

Package

Affected versions

Patched versions

Description

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C (3.5)

Problem

Solution

Credits

References

Severity

CVSS base metrics

CVE ID

Weaknesses

Credits

CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (3.5)