CVE-2019-19848
HIGHTYPO3 < 8.7.30, 9.x < 9.5.12, 10.x < 10.2.2 - Authenticated Path Traversal via Extension Manager ZIP Extraction
Title source: llmDescription
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://typo3.org/security/advisory/typo3-core-sa-2019-024/
Vendor Advisory x_refsource_misc
https://review.typo3.org/q/%2522Resolves:+%252388764%2522+topic:security
Scores
CVSS v3
7.2
EPSS
0.0037
EPSS Percentile
59.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (3)
typo3/cms
10.0.0 - 10.2.2Packagist
typo3/cms-core
10.0.0 - 10.2.2Packagist
typo3/typo3
< 8.7.30
Published
Dec 17, 2019
Tracked Since
Feb 18, 2026