PT-2022-20484 · Typo3 · Typo3
Lina Wolf
·
Published
2022-06-14
·
Updated
2024-03-06
·
CVE-2022-31046
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
TYPO3 versions prior to 7.6.57 ELTS
TYPO3 versions prior to 8.7.47 ELTS
TYPO3 versions prior to 9.5.34 ELTS
TYPO3 versions prior to 10.4.29
TYPO3 versions prior to 11.5.11
Description
The export functionality in TYPO3 fails to limit the result set to allowed columns of a particular database table, allowing authenticated users to export internal details of database tables they already have access to.
Recommendations
For versions prior to 7.6.57 ELTS, update to version 7.6.57 ELTS or later.
For versions prior to 8.7.47 ELTS, update to version 8.7.47 ELTS or later.
For versions prior to 9.5.34 ELTS, update to version 9.5.34 ELTS or later.
For versions prior to 10.4.29, update to version 10.4.29 or later.
For versions prior to 11.5.11, update to version 11.5.11 or later.
As a temporary workaround, consider denying access to the export functionality for regular backend users by setting the
options.impexp.enableExportForNonAdminUser to 0 in the User TSconfig.Exploit
Fix
Information Disclosure
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Typo3