CVE-2023-30451
MEDIUMTYPO3 11.5.24 - Authenticated Path Traversal via Filelist BaseURI Parameter
Title source: llmDescription
In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].
References (1)
Core 1
Core References
Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html
Scores
CVSS v3
4.9
EPSS
0.0040
EPSS Percentile
61.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (2)
typo3/cms-core
8.0.0 - 8.7.57Packagist
typo3/typo3
11.5.24
Published
Dec 25, 2023
Tracked Since
Feb 18, 2026