Skip to content

Arbitrary Code Execution in TYPO3 CMS

Critical severity GitHub Reviewed Published Jun 5, 2024 to the GitHub Advisory Database • Updated Jun 5, 2024

Package

composer typo3/cms (Composer)

Affected versions

>= 7.6.0, < 7.6.22
>= 8.0.0, < 8.7.5

Patched versions

7.6.22
8.7.5

Description

Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool.

\.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$

References

Published to the GitHub Advisory Database Jun 5, 2024
Reviewed Jun 5, 2024
Last updated Jun 5, 2024

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-67wg-6j7r-mqh8

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.