Skip to main content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')


Severity High
Score 8.3/10


TYPO3 is an open source PHP based web content management system. typo3/cms between 8.7.17 and 8.7.32, between 9.3.1 and 9.5.24, and 10.x before 10.4.13, and typo3/cms-form between 8.7.17 and 8.7.32, between 9.3.1 and 9.5.24, 10.x before 10.4.13, and version 11.0.0, due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability.

  • LOW
  • HIGH
  • NONE
  • LOW
  • LOW
  • HIGH

CWE-22 - Path Traversal

Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.

Advisory Timeline

  • Published