- Component Type: TYPO3 CMS
- Subcomponent: Install Tool (ext:install)
- Release Date: November 14, 2023
- Vulnerability Type: Information Disclosure
- Affected Versions: 12.2.0-12.4.7
- Severity: Low
- Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
- References: CVE-2023-47126, CWE-200
Problem Description
The login screen of the standalone install tool discloses the full path of the transient data directory (e.g. /var/www/html/var/transient/). This applies to composer-based scenarios only - “classic” non-composer installations are not affected.
Solution
Update to TYPO3 version 12.4.8 that fixes the problem described above.
Credits
Thanks to Markus Klein who reported and fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.