- Component Type: TYPO3 CMS
- Subcomponent: Install Tool (ext:install)
- Release Date: November 14, 2023
- Vulnerability Type: Information Disclosure
- Affected Versions: 12.2.0-12.4.7
- Severity: Low
- Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
- References: CVE-2023-47126, CWE-200
The login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected.
Update to TYPO3 version 12.4.8 that fixes the problem described above.
Thanks to Markus Klein who reported and fixed the issue.
All security related code changes are tagged so that you can easily look them up in our review system.