CVE-2024-47780: 
PHP vulnerability analysis and mitigation

TYPO3, a free and open source Content Management Framework, was found to contain an information disclosure vulnerability (CVE-2024-47780). The vulnerability was discovered in the backend page tree functionality, affecting TYPO3 versions 10.0.0-10.4.45, 11.0.0-11.5.39, 12.0.0-12.4.20, and 13.0.0-13.3.0. The issue was disclosed on October 8, 2024 (TYPO3 Advisory, GitHub Advisory).

The vulnerability allows backend users to view items in the backend page tree without proper access permissions under specific conditions: when mounts pointed to pages restricted for their user/group, or when no mounts were configured but the pages allowed access to 'everybody'. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N. It has been classified as CWE-863 (Incorrect Authorization) (GitHub Advisory).

The impact of this vulnerability is limited to information disclosure. While affected users could see unauthorized items in the backend page tree, they were unable to manipulate these pages. The vulnerability only affects the visibility of items and does not grant additional manipulation capabilities (TYPO3 Advisory).

Users are advised to update to the patched versions: TYPO3 10.4.46 ELTS, 11.5.40 LTS, 12.4.21 LTS, or 13.3.1. There are no known workarounds for this vulnerability (TYPO3 Advisory).

The vulnerability was reported by Peter Schuler and fixed by TYPO3 core & security team member Oliver Hader (TYPO3 Advisory).