CVE-2023-47126 LOW

CVE-2023-47126: Information Disclosure in Install Tool in typo3/cms-install

Vendor Typo3

Product typo3

Weakness CWE-200 · Info exposure

Published November 14, 2023

Last update August 29, 2024

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions the login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected. This issue has been addressed in version 12.4.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

November 14, 2023 CVE published

August 29, 2024 Record updated