Main Vulnerability Database Vulnerabilities #VU17244

Remote code execution in TYPO3 - #VU17244

Published: January 28, 2019

Vulnerability identifier: #VU17244

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: TYPO3

Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE'][‘fileDenyPattern’]. A remote attacker can upload *.phar, *.shtml, *.pl or *.cgi files which can be executed in certain web server setups.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

The vulnerability has been addressed in the versions 8.7.23 and 9.5.4.

Sources

https://typo3.org/security/advisory/typo3-core-sa-2019-008/

Remote code execution in TYPO3 - #VU17244

Detailed vulnerability description

Remediation

Sources

Please verify you're human