It has been discovered, that editors could list all files and folders in the root directory of a TYPO3 installation.
July 1, 2015
Vulnerable subcomponent: Backend
Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C
not assigned yet
It has been discovered, that editors with access to the file list module could list all files and folders in the root directory of a TYPO3 installation. Modification of files or listing further nested directories was not possible.
Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.
Thanks to Helmut Hummel who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce
All security related code changes are tagged so that you can easily look them up on our review system