CVE-2017-14251

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.

Published: Sep 11, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-14251
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
typo3 / typo3	8.6.1	8.6.1.x
typo3 / typo3	7.6.6	7.6.6.x
typo3 / typo3	8.3.1	8.3.1.x
typo3 / typo3	7.6.0	7.6.0.x
typo3 / typo3	7.6.5	7.6.5.x
typo3 / typo3	7.6.20	7.6.20.x
typo3 / typo3	8.2.0	8.2.0.x
typo3 / typo3	8.7.0	8.7.0.x
typo3 / typo3	7.6.2	7.6.2.x
typo3 / typo3	7.6.3	7.6.3.x
typo3 / typo3	8.2.1	8.2.1.x
typo3 / typo3	8.7.2	8.7.2.x
typo3 / typo3	8.7.3	8.7.3.x
typo3 / typo3	7.6.16	7.6.16.x
typo3 / typo3	7.6.19	7.6.19.x
typo3 / typo3	8.5.1	8.5.1.x
typo3 / typo3	7.6.7	7.6.7.x
typo3 / typo3	8.5.0	8.5.0.x
typo3 / typo3	8.1.0	8.1.0.x
typo3 / typo3	7.6.15	7.6.15.x
typo3 / typo3	7.6.14	7.6.14.x
typo3 / typo3	7.6.18	7.6.18.x
typo3 / typo3	7.6.21	7.6.21.x
typo3 / typo3	7.6.17	7.6.17.x
typo3 / typo3	8.4.0	8.4.0.x
typo3 / typo3	8.1.1	8.1.1.x
typo3 / typo3	7.6.12	7.6.12.x
typo3 / typo3	8.3.0	8.3.0.x
typo3 / typo3	7.6.9	7.6.9.x
typo3 / typo3	8.6.0	8.6.0.x
typo3 / typo3	8.0.0	8.0.0.x
typo3 / typo3	8.0.1	8.0.1.x
typo3 / typo3	7.6.4	7.6.4.x
typo3 / typo3	8.7.4	8.7.4.x
typo3 / typo3	8.4.1	8.4.1.x
typo3 / typo3	7.6.10	7.6.10.x
typo3 / typo3	7.6.11	7.6.11.x
typo3 / typo3	8.7.1	8.7.1.x
typo3 / typo3	7.6.1	7.6.1.x
typo3 / typo3	8.1.2	8.1.2.x
typo3 / typo3	7.6.8	7.6.8.x
typo3 / typo3	7.6.13	7.6.13.x

Vulnerability Database

289,871

CVE-2017-14251