GHSA-f35p-hcwf-9f9f

Source

https://github.com/advisories/GHSA-f35p-hcwf-9f9f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f35p-hcwf-9f9f/GHSA-f35p-hcwf-9f9f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f35p-hcwf-9f9f

Aliases

CVE-2008-2717

Published

2022-05-01T23:52:38Z

Modified

2024-02-09T16:56:40.618073Z

Summary

TYPO3 Unrestricted File Upload vulnerability

Details

TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.

Database specific

{
    "nvd_published_at": "2008-06-16T22:41:00Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-09T16:34:40Z"
}

References

Affected packages

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.9

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.7

Packagist / typo3/cms-core

Package

Name: typo3/cms-core
Purl: pkg:composer/typo3/cms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.1