TYPO3 before 8.7.30 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Vulnerability

Summary

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. 

Credit:

The information has been provided by Vendor

The original article can be found at:https://review.typo3.org/q/%2522Resolves:+%252388764%2522+topic:security


Details

It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)

 

Vulnerable Systems:

TYPO3 before 8.7.30

TYPO3 9.x before 9.5.12

TYPO3 10.x before 10.2.2

 

CVE Information:

CVE-2019-19848

 

Disclosure Timeline:
Published Date:12/17/2019

Categories: News