GHSA-wjpc-gjf7-9938

Source

https://github.com/advisories/GHSA-wjpc-gjf7-9938

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wjpc-gjf7-9938

Aliases

CVE-2010-3663

Published

2022-04-21T01:57:46Z

Modified

2024-02-06T23:41:53.676004Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

TYPO3 Arbitrary Code Execution vulnerability on the backend

Details

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.

Database specific

{
    "nvd_published_at": "2019-11-04T22:15:00Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-06T23:03:54Z"
}

References

Affected packages

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.14

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2

Fixed

4.2.13

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3

Fixed

4.3.4

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4

Fixed

4.4.1