Описание
Arbitrary Code Execution in TYPO3 CMS
Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool.
\.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$
Пакеты
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 7.6.0, < 7.6.22
7.6.22
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 8.0.0, < 8.7.5
8.7.5
9.9 Critical
CVSS3
Дефекты
CWE-94
9.9 Critical
CVSS3
Дефекты
CWE-94