TYPO3 FAL DataHandler RCE via fallback storage (8.713.0.1)
CVE-2024-25121 Published on February 13, 2024
Improper Access Control Persisting File Abstraction Layer Entities via Data Handler in TYPO3
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`.
Vulnerability Analysis
CVE-2024-25121 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Types
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2024-25121 has been classified to as an Information Disclosure vulnerability or weakness.
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-25121 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2024-25121
Want to know whenever a new CVE is published for TYPO3? stack.watch will email you.
Affected Versions
typo3:- Version >= 13.0.0, < 13.0.1 is affected.
- Version >= 12.0.0, < 12.4.11 is affected.
- Version >= 11.0.0, < 11.5.35 is affected.
- Version >= 10.0.0, < 10.4.43 is affected.
- Version >= 9.0.0, < 9.5.46 is affected.
- Version >= 8.0.0, < 8.7.57 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.