CVE-2019-19848
TYPO3 Directory Traversal on ZIP extraction
6.8
MEDIUM
CVSS 3.1
EPSS 0.37%
Description
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the extraction of manually uploaded ZIP archives in Extension Manager is vulnerable to directory traversal. Admin privileges are required in order to exploit this vulnerability. (In v9 LTS and later, System Maintainer privileges are also required.)
How to fix CVE-2019-19848
To remediate CVE-2019-19848, upgrade the affected package to a fixed version below.
- —upgrade to 10.2.2 or later
- —upgrade to 10.2.2 or later
Is CVE-2019-19848 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 10.0.0, < 10.2.2
- >= 10.0.0, < 10.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.8 | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H |