Description

In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].

Remediation

References

CVE-2023-30451

Related Vulnerabilities

Apache Tomcat Incomplete Cleanup Vulnerability (CVE-2025-31650)

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-7486)

WordPress Plugin Limit Login Attempts Reloaded Cross-Site Scripting (2.7.0)

phpMyFAQ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-4007)

WordPress Plugin SEO Backlinks Cross-Site Request Forgery (4.0.1)

Severity

Medium

Classification

CVE-2023-30451 CWE-22 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities