N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2p4f-vc9q-r5vp

EPSS Score

CWE

Published

6/5/2024

Updated

6/5/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2p4f-vc9q-r5vp

GHSA-2p4f-vc9q-r5vp: Typo3 Arbitrary file upload and XML External Entity processing

It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …).

Note: The upload of files is only possible if the application built on Flow provides means to do so, and whether or not the upload of files poses a risk is dependent on the system setup. If uploaded script files are not executed by the server, there is no risk. In versions prior to 3.0.0 the upload of files with the extension php was blocked.

In Flow 2.3.0 to 2.3.6 a potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-2p4f-vc9q-r5vp

GHSA-2p4f-vc9q-r5vp:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2p4f-vc9q-r5vp

EPSS Score

CWE

Published

6/5/2024

Updated

6/5/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/flow	composer	>= 2.3.0, < 2.3.7	2.3.7
typo3/flow	composer	>= 3.0.0, < 3.0.1	3.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

MediaTypeConverter::convert is explicitly named in the advisory as the XXE vector. The patch would have modified XML parsing here to disable external entities.
ResourceManager::validateFileUpload (or similar validation method) would be responsible for enforcing extension restrictions. The 3.0.0 vulnerability stemmed from removed PHP blocking, indicating missing validation logic in this function prior to 3.0.1 patch. Both functions directly handle untrusted input (XML data and file uploads) and were modified in patched versions per advisory descriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-2p4f-vc9q-r5vp: Typo3 Arbitrary file upload and XML External Entity processing

GHSA-2p4f-vc9q-r5vp:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

GHSA-2p4f-vc9q-r5vp: Typo3 Arbitrary file upload and XML External Entity processing

Basic Information

Basic Information

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI