-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms | composer | >= 7.6.0, < 7.6.22 | 7.6.22 |
| typo3/cms | composer | >= 8.0.0, < 8.7.5 | 8.7.5 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from an incomplete fileDenyPattern configuration in SystemEnvironmentBuilder.php. While no specific function name is explicitly mentioned in advisories, the file is directly referenced as containing the vulnerable pattern. The SystemEnvironmentBuilder class is responsible for initializing global configuration variables, including security-related settings like fileDenyPattern. The absence of .pht in this deny list (normally set via createGlobalVariables() method) allowed bypassing file type restrictions. This matches the CWE-434 pattern of unrestricted dangerous file uploads through insufficient extension filtering.
Ongoing coverage of React2Shell