PT-2019-15979 · Typo3 · Typo3

Kai Ullrich

Published

2019-12-17

Updated

2024-03-12

CVE-2019-19848

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 8.7.30 TYPO3 versions 9.x prior to 9.5.12 TYPO3 versions 10.x prior to 10.2.2

Description An issue has been discovered in the extraction of manually uploaded ZIP archives in the Extension Manager, which is vulnerable to directory traversal. This issue requires admin privileges to exploit, and in versions 9 LTS and later, System Maintainer privileges are also required.

Recommendations For versions prior to 8.7.30, update to version 8.7.30 or later. For versions 9.x prior to 9.5.12, update to version 9.5.12 or later. For versions 10.x prior to 10.2.2, update to version 10.2.2 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-19848

GHSA-77P4-WFR8-977W

Affected Products

Typo3

PT-2019-15979 · Typo3 · Typo3

CVE-2019-19848

Weakness Enumeration

Related Identifiers

Affected Products

References · 9