Main Vulnerability Database Vulnerabilities #VU30711

Arbitrary file upload in TYPO3 - CVE-2010-3663

Published: November 4, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30711

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2010-3663

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: TYPO3

Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.

How to mitigate CVE-2010-3663

Install update from vendor's website.

Sources

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590719
https://security-tracker.debian.org/tracker/CVE-2010-3663
https://typo3.org/security/advisory/typo3-sa-2010-012/#Arbitrary_Code_Execution

Arbitrary file upload in TYPO3 - CVE-2010-3663

Detailed vulnerability description

How to mitigate CVE-2010-3663

Sources

Please verify you're human