GHSA-fh4q-hxrw-cjqq

Source

https://github.com/advisories/GHSA-fh4q-hxrw-cjqq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fh4q-hxrw-cjqq/GHSA-fh4q-hxrw-cjqq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fh4q-hxrw-cjqq

Aliases

CVE-2017-14251

Published

2022-05-17T00:18:39Z

Modified

2024-04-25T21:57:34.638161Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

TYPO3 Arbitrary Code Execution

Details

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.

Database specific

{
    "nvd_published_at": "2017-09-11T09:29:00Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T21:29:47Z"
}

References

Affected packages

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.6.0

Fixed

7.6.22

Affected versions

7.*

7.6.0

7.6.1

7.6.2

7.6.3

7.6.4

7.6.5

7.6.6

7.6.7

7.6.8

7.6.9

7.6.10

7.6.11

7.6.12

7.6.13

7.6.14

7.6.15

7.6.16

7.6.17

7.6.18

7.6.19

v7.*

v7.6.20

v7.6.21

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.7.5

Affected versions

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.2.0

8.2.1

8.3.0

8.3.1

8.4.0

8.4.1

8.5.0

8.5.1

8.6.0

8.6.1

8.7.0

8.7.1

8.7.2

v8.*

v8.7.3

v8.7.4