ASA-2019-00256 – TYPO3: Information Disclosure in Page Tree


Allele Security Alert

ASA-2019-00256

Identifier(s)

ASA-2019-00256, TYPO3-CORE-SA-2019-009

Title

Information Disclosure in Page Tree

Vendor(s)

TYPO3 Association

Product(s)

TYPO3 CMS

Affected version(s)

TYPO3 CMS versions 9.0.0 up to 9.5.5

Fixed version(s)

TYPO3 CMS version 9.5.6

Proof of concept

Unknown

Description

It has been discovered backend users not having read access to specific pages still could see them in the page tree which actually should be disallowed. A valid backend user account is needed in order to exploit this vulnerability.

Technical details

Unknown

Credits

Unknown

Reference(s)

TYPO3-CORE-SA-2019-009: Information Disclosure in Page Tree
https://typo3.org/security/advisory/typo3-core-sa-2019-009/

TYPO3 9.5.6 and 8.7.25 security releases published
https://typo3.org/article/typo3-956-and-8725-security-releases-published/

[TYPO3-announce] Announcing TYPO3 v9.5.6 and v8.7.25 security releases
http://lists.typo3.org/pipermail/typo3-announce/2019/000442.html

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.