Main Vulnerability Database Vulnerabilities #VU17244

#VU17244 Remote code execution in TYPO3

Published: January 28, 2019

Vulnerability identifier: #VU17244

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
TYPO3

Software vendor:
TYPO3

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’]. A remote attacker can upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

The vulnerability has been addressed in the versions 8.7.23 and 9.5.4.

External links

https://typo3.org/security/advisory/typo3-core-sa-2019-008/

#VU17244 Remote code execution in TYPO3

Description

Remediation

External links

Please verify you're human