VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-yqf5-djd2-suea

Essentials
Severities (22)
References (12)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-yqf5-djd2-suea
Aliases	CVE-2024-25120 GHSA-wf85-8hx9-gj7c
Summary	TYPO3 vulnerable to Improper Access Control of Resources Referenced by t3:// URI Scheme ### Problem The TYPO3-specific [`t3://` URI scheme](https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references) could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2024-005](https://typo3.org/security/advisory/typo3-core-sa-2024-005)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-284	Improper Access Control
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00139	https://api.first.org/data/v1/epss?cve=CVE-2024-25120
cvssv3.1	4.3	https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references
generic_textual	MODERATE	https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references
ssvc	Track	https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-wf85-8hx9-gj7c
cvssv3.1	4.3	https://github.com/TYPO3/typo3
generic_textual	MODERATE	https://github.com/TYPO3/typo3
cvssv3.1	4.3	https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6
cvssv3.1	4.3	https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f
cvssv3.1	4.3	https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd
generic_textual	MODERATE	https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd
cvssv3.1	4.3	https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c
cvssv3.1_qr	MODERATE	https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c
generic_textual	MODERATE	https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c
ssvc	Track	https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c
cvssv3.1	4.3	https://nvd.nist.gov/vuln/detail/CVE-2024-25120
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-25120
cvssv3.1	4.3	https://typo3.org/security/advisory/typo3-core-sa-2024-005
generic_textual	MODERATE	https://typo3.org/security/advisory/typo3-core-sa-2024-005
ssvc	Track	https://typo3.org/security/advisory/typo3-core-sa-2024-005

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-25120
		https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references
		https://github.com/TYPO3/typo3
		https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6
		https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f
		https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd
		https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c
		https://nvd.nist.gov/vuln/detail/CVE-2024-25120
		https://typo3.org/security/advisory/typo3-core-sa-2024-005
cpe:2.3:a:typo3:typo3::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3::::::::
cpe:2.3:a:typo3:typo3:13.0.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:typo3:typo3:13.0.0:::::::*
GHSA-wf85-8hx9-gj7c		https://github.com/advisories/GHSA-wf85-8hx9-gj7c

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/ Found at https://docs.typo3.org/m/typo3/reference-typoscript/main/en-us/Functions/Typolink.html#resource-references

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3/commit/2de87ff113ba24333ab7cbb8078588743f8958d6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3/commit/33f4d279b82bca0a509227a17065244c6156e68f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3/commit/ae0dfc4c058a90c10eedb3f49cfaf33164d21cdd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/ Found at https://github.com/TYPO3/typo3/security/advisories/GHSA-wf85-8hx9-gj7c

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-25120

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://typo3.org/security/advisory/typo3-core-sa-2024-005

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-14T15:55:10Z/ Found at https://typo3.org/security/advisory/typo3-core-sa-2024-005

Exploit Prediction Scoring System (EPSS)

Percentile	0.34756
EPSS Score	0.00139
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:09:46.526117+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-wf85-8hx9-gj7c/GHSA-wf85-8hx9-gj7c.json	36.1.3