CVE-2009-3631 – typo3/cms-backend

Package

Manager: composer
Name: typo3/cms-backend
Vulnerable Version: >=0 <=4.0.13 || >=4.1.0 <4.1.13 || >=4.2.0 <4.2.10 || >=4.3alpha1 <4.3beta2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00541 pctl0.66676

Details

TYPO3 Backend Command Injection via Shell Metacharacters in Uploaded File Name The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.

Metadata

Created: 2022-05-02T03:46:56Z
Modified: 2024-02-08T21:38:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3cqw-pxgr-jhrm/GHSA-3cqw-pxgr-jhrm.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-3cqw-pxgr-jhrm
Finding: F422
Auto approve: 1