GHSA-wvvp-jwf5-qcpc: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-wvvp-jwf5-qcpc) titled 'Information Disclosure in Page Tree' was discovered in TYPO3 CMS core, affecting versions 9.0.0 to 9.5.5. The vulnerability was disclosed on May 7, 2019, and involves an information disclosure issue in the Page Tree component of the TYPO3 backend system (TYPO3 Advisory, GitHub Advisory).

The vulnerability has been assigned a moderate severity rating with a CVSS v3.1 base score of 4.3. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network vector attack, low attack complexity, low privileges required, no user interaction needed, unchanged scope, low confidentiality impact, and no impact on integrity or availability. The vulnerability is classified as CWE-200 (Information Disclosure) (GitHub Advisory).

The vulnerability allows backend users to view pages in the page tree that they should not have access to, potentially exposing sensitive information. The impact is limited to information disclosure, with no effects on system integrity or availability. A valid backend user account is required to exploit this vulnerability (TYPO3 Advisory).

The vulnerability has been patched in TYPO3 version 9.5.6. Users are advised to update to this version or later to address the security issue. No alternative workarounds were provided in the advisory (TYPO3 Advisory).