Vulnerability CVE-2017-14251
Published: 2017-09-11

Description:
Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.

Type:

CWE-434

 (Unrestricted Upload of File with Dangerous Type)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Typo3 -> Typo3 
IBM -> Business process manager 

 References:
http://blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.html
http://www.securityfocus.com/bid/100620
http://www.securitytracker.com/id/1039295
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007/
Copyright 2024, cxsecurity.com

 

Back to Top