Arbitrary Code Execution in TYPO3 CMS

Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool.

\.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$

Published: Jun 5, 2024
Updated: Jun 27, 2024
GHSA: GHSA-67wg-6j7r-mqh8
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
typo3 / cms	7.6.0	7.6.22
typo3 / cms	8.0.0	8.7.5

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2017-09-05-4.yaml
https://typo3.org/security/advisory/typo3-core-sa-2017-007

Vulnerability Database

Arbitrary Code Execution in TYPO3 CMS