It has been discovered, that editors could change, create or delete metadata of files without permission.
July 1, 2015
Vulnerable subcomponent: Backend
Broken Access Control
Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C
not assigned yet
It has been discovered, that editors with access to file meta data table could change, create or delete metadata of files which are not within their file mounts.
Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.
Thanks to Marc Bastian Heinrichs who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce
All security related code changes are tagged so that you can easily look them up on our review system