CVE-2023-30451

Name of the Vulnerable Software and Affected Versions TYPO3 version 11.5.24

Description The filelist component in TYPO3 allows attackers with access to the administrator panel to read arbitrary files via directory traversal in the baseuri field. This can be demonstrated by sending a POST request to /typo3/record/edit with ../../../ in data[sys file storage]*[data][sDEF][lDEF][basePath][vDEF]. The issue is related to the File Abstraction Layer (FAL) component, which could be configured to access directories outside of the project root directory. An administrator-level backend user account is required to exploit this issue.

Recommendations Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 to fix the problem. As a temporary workaround, consider restricting access to the filelist component and the baseuri field to minimize the risk of exploitation. To grant additional access to directories, they must be explicitly configured in the system settings of $GLOBALS['TYPO3 CONF VARS']['BE']['lockRootPath'].