GHSA-8h4m-r4wm-xj7r: TYPO3 Arbitrary Code Execution via File List Module
8.8
CVSS Score
3.1
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
6/7/2024
Updated
6/7/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms | composer | >= 8.0.0, < 8.7.23 | 8.7.23 |
| typo3/cms | composer | >= 9.0.0, < 9.5.4 | 9.5.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from an incomplete file deny pattern in TYPO3's configuration. The SystemEnvironmentBuilder::defineBaseConstants() method is directly responsible for setting the FILE_DENY_PATTERN_DEFAULT constant, which governs restricted file types. The commit patching this vulnerability explicitly modifies this function to add the missing extensions. Since this function controls the security-critical deny pattern configuration, its outdated implementation in vulnerable versions is the root cause enabling unsafe file uploads.