CVE-2024-25121: 
PHP vulnerability analysis and mitigation

TYPO3, an open source PHP-based web content management system, was found to contain a vulnerability (CVE-2024-25121) in its File Abstraction Layer (FAL) functionality. The vulnerability was discovered and disclosed on February 13, 2024, affecting TYPO3 versions 8.x through 13.x. This security issue impacts the system's DataHandler component, potentially exposing sensitive file information (TYPO3 Advisory, GitHub Advisory).

The vulnerability allows attackers to persist entities of the File Abstraction Layer (FAL) directly via DataHandler, enabling them to reference files in the fallback storage and retrieve their file names and contents. The fallback storage, known as 'zero-storage', serves as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, indicating network accessibility with low attack complexity (GitHub Advisory).

The vulnerability primarily affects the confidentiality and integrity of the system, allowing unauthorized access to file names and contents within the fallback storage. This could lead to information disclosure and potential exposure of sensitive data stored in improperly configured file storage locations (GitHub Advisory).

The vulnerability has been patched in TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1. In the patched versions, sys_file entities are denied by default, and sys_file_reference & sys_file_metadata entities are not permitted to reference files in the fallback storage. For cases requiring data import from secure origins, this must be explicitly enabled using $dataHandler->isImporting = true (GitHub Advisory).