TYPO3 CMS Media Module Fallback Storage Access Vulnerability

A broken access control vulnerability has been identified in the TYPO3 CMS Media Module, affecting versions 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2. This vulnerability allows backend users with file download permissions to access and download sensitive files, such as log files, from the fallback storage of the file abstraction layer (FAL). The issue arises because the fallback storage paths are resolved relative to the server's document root, potentially exposing confidential information.

Impact

Exploitation of this vulnerability could lead to unauthorized access and download of sensitive files from the server, such as log files, which may contain confidential information.

Reproduction

To reproduce this vulnerability, a backend user with file download permissions can use the Media Module to select files for download. The vulnerability can be triggered by requesting files that are stored in the fallback storage, which is not properly restricted. Once the files are requested, they will be downloaded as a zip file, including any sensitive data from the log files.

Remediation

Users are advised to update TYPO3 to versions 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS, all of which address this vulnerability.