VulnerableCode Package Details - pkg:composer/typo3/cms@11.5.24

Search for packages

Vulnerability	Summary	Fixed by
VCID-2f1j-4zed-73gp Aliases: CVE-2023-30451 GHSA-w6x2-jg8h-p6mp	Path Traversal in TYPO3 File Abstraction Layer Storages ### Problem Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ Strong security defaults - Manual actions required _see [Important: #102800 changelog](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/11.5.x/Important-102800-FileAbstractionLayerEnforcesAbsolutePathsToMatchProjectRootOrLockRootPath.html)_ Assuming that a web project is located in the directory `/var/www/example.org` (the "project root path" for Composer-based projects) and the publicly accessible directory is located at `/var/www/example.org/public` (the "public root path"), accessing resources via the File Abstraction Layer component is limited to the mentioned directories. To grant additional access to directories, they must be explicitly configured in the system settings of `$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']` - either using the Install Tool or according to deployment techniques. The existing setting has been extended to support multiple directories configured as an array of strings. Example: ```php $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [ ‘/var/shared/documents/’, ‘/var/shared/images/’, ]; ``` ❗ Storages that reference directories not explicitly granted will be marked as "offline" internally - no resources can be used in the website's frontend and backend context. ### Credits Thanks to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-001](https://typo3.org/security/advisory/typo3-core-sa-2024-001)	11.5.25 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2f1j-4zed-73gp
Aliases:
CVE-2023-30451
GHSA-w6x2-jg8h-p6mp

Path Traversal in TYPO3 File Abstraction Layer Storages ### Problem Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ **Strong security defaults - Manual actions required** _see [Important: #102800 changelog](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/11.5.x/Important-102800-FileAbstractionLayerEnforcesAbsolutePathsToMatchProjectRootOrLockRootPath.html)_ Assuming that a web project is located in the directory `/var/www/example.org` (the "project root path" for Composer-based projects) and the publicly accessible directory is located at `/var/www/example.org/public` (the "public root path"), accessing resources via the File Abstraction Layer component is limited to the mentioned directories. To grant additional access to directories, they must be explicitly configured in the system settings of `$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']` - either using the Install Tool or according to deployment techniques. The existing setting has been extended to support multiple directories configured as an array of strings. Example: ```php $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [ ‘/var/shared/documents/’, ‘/var/shared/images/’, ]; ``` ❗ **Storages that reference directories not explicitly granted will be marked as "offline" internally - no resources can be used in the website's frontend and backend context.** ### Credits Thanks to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-001](https://typo3.org/security/advisory/typo3-core-sa-2024-001)

11.5.25
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:56:34.034373+00:00	GitLab Importer	Affected by	VCID-2f1j-4zed-73gp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-30451.yml	37.0.0
2025-07-01T18:15:18.657257+00:00	GitLab Importer	Affected by	VCID-2f1j-4zed-73gp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-30451.yml	36.1.3

2025-07-03T18:56:34.034373+00:00

GitLab Importer

Affected by

VCID-2f1j-4zed-73gp

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-30451.yml

37.0.0

2025-07-01T18:15:18.657257+00:00

GitLab Importer

Affected by

VCID-2f1j-4zed-73gp

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2023-30451.yml

36.1.3

Next non-vulnerable version	11.5.25
Latest non-vulnerable version	12.2.0
Risk	3.1