php · typo3/cms-coreHeads-up
typo3/cms-core: Missing permission checks in Backend API file metadata routes
Authenticated backend users could retrieve file metadata via Backend API routes without proper permission checks, allowing access to files outside their permitt
What changed
Authenticated backend users could retrieve file metadata via Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages.
Who it affects
TYPO3 CMS versions before 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS.
What to do today
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS.
The trail
Collected→
Audited→
Written→
Published