CVE-2024-47780

TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to "everybody." However, affected users could not manipulate these pages. Users are advised to update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. There are no known workarounds for this vulnerability.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/TYPO3/typo3/security/advisories/GHSA-rf5m-h8q9-9w6q
https://typo3.org/security/advisory/typo3-core-sa-2024-012

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-08 18:15

Updated : 2024-10-10 12:56

NVD link : CVE-2024-47780

Mitre link : CVE-2024-47780

CVE.ORG link : CVE-2024-47780

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-47780", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2024-10-08T18:15:30.950", "references": [{"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-rf5m-h8q9-9w6q", "source": "security-advisories@github.com"}, {"url": "https://typo3.org/security/advisory/typo3-core-sa-2024-012", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "TYPO3 is a free and open source Content Management Framework. Backend users could see items in the backend page tree without having access if the mounts pointed to pages restricted for their user/group, or if no mounts were configured but the pages allowed access to \"everybody.\" However, affected users could not manipulate these pages. Users are advised to update to TYPO3 versions 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 that fix the problem described. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "TYPO3 es un framework de gesti\u00f3n de contenido gratuito y de c\u00f3digo abierto. Los usuarios del backend pod\u00edan ver elementos en el \u00e1rbol de p\u00e1ginas del backend sin tener acceso si los montajes apuntaban a p\u00e1ginas restringidas para su usuario/grupo, o si no se configuraban montajes pero las p\u00e1ginas permit\u00edan el acceso a \"todos\". Sin embargo, los usuarios afectados no pod\u00edan manipular estas p\u00e1ginas. Se recomienda a los usuarios que actualicen a las versiones 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, 13.3.1 de TYPO3 que solucionan el problema descrito. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-10-10T12:56:30.817", "sourceIdentifier": "security-advisories@github.com"}