CVE-2024-25120: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2024-25120) affects TYPO3, an open-source PHP-based web content management system. The vulnerability was discovered in the TYPO3-specific t3:// URI scheme, which could be exploited to access resources outside of users' permission scope, including files, folders, pages, and records. The issue was disclosed on February 13, 2024, affecting TYPO3 versions 8.0.0-8.7.56, 9.0.0-9.5.45, 10.0.0-10.4.42, 11.0.0-11.5.34, 12.0.0-12.4.10, and 13.0.0 (TYPO3 Advisory, GitHub Advisory).

The vulnerability is classified as an Improper Access Control issue (CWE-284) and Exposure of Sensitive Information to an Unauthorized Actor (CWE-200). It received a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability specifically relates to the TYPO3-specific t3:// URI scheme implementation, which failed to properly enforce access controls for various resources (GitHub Advisory).

The vulnerability allows authenticated backend users to access resources outside their permission scope. This includes unauthorized access to files, folders, pages, and records, provided a valid link-handling configuration is present (TYPO3 Advisory).

Users are advised to update to the patched versions: TYPO3 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1. There are no known workarounds for this issue (TYPO3 Advisory).