TYPO3 Broken Access Control in Localization Handling · GHSA-9rx9-7fmh-gj3g · GitHub Advisory Database · GitHub

TYPO3 Broken Access Control in Localization Handling

Moderate severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

Package

typo3/cms-core (Composer)

Affected versions

>= 8.0.0, < 8.7.23

Patched versions

8.7.23

Description

It has been discovered that backend users having limited access to specific languages are capable of modifying and creating pages in the default language which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

References

Published to the GitHub Advisory Database May 30, 2024

Reviewed May 30, 2024

Last updated May 30, 2024

Severity

Moderate

6.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N