CVE-2021-43564: Exposure of Sensitive Information to an Unauthorized Actor

November 15, 2021 (updated November 17, 2021)

An issue was discovered in the jobfair (aka Job Fair) extension before 1.0.13 and 2.x before 2.0.2 for TYPO3. The extension fails to protect or obfuscate filenames of uploaded files. This allows unauthenticated users to download files with sensitive data by simply guessing the filename of uploaded files (e.g., uploads/tx_jobfair/cv.pdf).

References

github.com/advisories/GHSA-43g8-79x3-j898
nvd.nist.gov/vuln/detail/CVE-2021-43564
typo3.org/security/advisory/typo3-ext-sa-2021-018

Code Behaviors & Features

Detect and mitigate CVE-2021-43564 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →