Information Disclosure in Install Tool in typo3/cms-install
CVE-2023-47126

3.7LOW

Key Information:

Vendor

Typo3

Status
Typo3
Vendor
CVE Published:
14 November 2023

What is CVE-2023-47126?

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

typo3 >= 12.2.0, < 12.4.8

References

https://github.com/TYPO3/typo3/security/advisories/GHSA-p...
x_refsource_CONFIRM
https://github.com/TYPO3/typo3/commit/1a735dac01ec7b337ed...
x_refsource_MISC
https://typo3.org/security/advisory/typo3-core-sa-2023-005
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.