Path traversal in TYPO3 - CVE-2010-5101
Published: May 21, 2012 / Updated: November 18, 2020
Vulnerability identifier: #VU44063
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2010-5101
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: TYPO3
Affected software:
TYPO3
TYPO3
Detailed vulnerability description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the TypoScript setup in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5. A remote authenticated attacker can send a specially crafted HTTP request and remote authenticated administrators to read arbitrary files via unspecified vectors related to the file inclusion functionality.
How to mitigate CVE-2010-5101
Install update from vendor's website.
Sources
- http://secunia.com/advisories/35770
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/
- http://www.openwall.com/lists/oss-security/2011/01/13/2
- http://www.openwall.com/lists/oss-security/2012/05/10/7
- http://www.openwall.com/lists/oss-security/2012/05/11/3
- http://www.openwall.com/lists/oss-security/2012/05/12/5
- http://www.osvdb.org/70119
- http://www.securityfocus.com/bid/45470
- https://exchange.xforce.ibmcloud.com/vulnerabilities/64180