CVE-2017-14251 — Unrestricted File Upload in CMS

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

8.8HIGHNVD

EPSS

3.5%

top 12.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3

Timeline

PublishedSep 11

Latest updateMay 17

Description

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶Packagisttypo3/cms7.6.0 — 7.6.22+1

▶NVDtypo3/typo342 versions+41

🔴Vulnerability Details

GHSA

TYPO3 Arbitrary Code Execution↗2022-05-17

▶

OSV

TYPO3 Arbitrary Code Execution↗2022-05-17

▶

CVEList

CVE-2017-14251: Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder↗2017-09-11

▶