MEDIUM
GHSA-c72x-mc2p-wv7x
TYPO3 ke_search path traversal due to lack of normalization on config directory from file indexer
Details
In TYPO3 faceted fulltext search (`ke_search`), the file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences. This has been patched in versions 7.0.1, 6.6.1, 5.6.2 and 4.6.7.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / tpwd/ke_search
Introduced in:
7.0.0 Fixed in: 7.0.1 Fix
composer require tpwd/ke_search:^7.0.1 Packagist / tpwd/ke_search
Introduced in:
6.0.0 Fixed in: 6.6.1 Fix
composer require tpwd/ke_search:^6.6.1 Packagist / tpwd/ke_search
Introduced in:
5.0.0 Fixed in: 5.6.2 Fix
composer require tpwd/ke_search:^5.6.2 Packagist / tpwd/ke_search
Introduced in:
0 Fixed in: 4.6.7 Fix
composer require tpwd/ke_search:^4.6.7