CVE-2023-30451: 
PHP vulnerability analysis and mitigation

In TYPO3 11.5.24, a path traversal vulnerability was discovered in the filelist component. The vulnerability allows authenticated attackers with administrator panel access to read arbitrary files through directory traversal in the baseuri field. This can be demonstrated by sending a POST request to /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]. The vulnerability was assigned CVE-2023-30451 and was disclosed on December 25, 2023 (NVD).

The vulnerability is classified as a path traversal issue (CWE-22) with a CVSS v3.1 base score of 4.9 (MEDIUM). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), affecting only the local system (S:U), with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability allows attackers with administrator panel access to read arbitrary files on the system through directory traversal. This could potentially lead to unauthorized access to sensitive system files and information disclosure (NVD).

Users are advised to update to patched versions of TYPO3. The vulnerability has been addressed in subsequent releases including versions 11.5.35, 12.4.11, and 13.0.1 (CERT-FR).