TYPO3-CORE-SA-2023-005: Information Disclosure in Install Tool

Categories: Development, TYPO3 CMS Created by Oliver Hader
It has been discovered that TYPO3 CMS is susceptible to information disclosure.

Problem Description

The login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected.


Update to TYPO3 version 12.4.8 that fixes the problem described above.


Thanks to Markus Klein who reported and fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.