It has been discovered, that TYPO3 is susceptible to unauthenticated path disclosure.
September 8, 2015
Vulnerable subcomponent: Frontend
Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.1
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
not assigned yet
It has been discovered, that calling a PHP script which is delivered with TYPO3 for testing purposes, discloses the absolute server path to the TYPO3 installation.
Update to TYPO3 versions 6.2.15 or 7.4.0 that fix the problem described.
Thanks to Heiko Kromm who discovered and reported the issue.
Follow the recommendations that are given in the TYPO3 Security Guide
. Please subscribe to the typo3-announce
All security related code changes are tagged so that you can easily look them up on our review system