CVE-2010-3663 – typo3/cms-backend

Package

Manager: composer
Name: typo3/cms-backend
Vulnerable Version: >=0 <4.1.14 || >=4.2 <4.2.13 || >=4.3 <4.3.4 || >=4.4 <4.4.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03147 pctl0.86377

Details

TYPO3 Arbitrary Code Execution vulnerability on the backend TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.

Metadata

Created: 2022-04-21T01:57:46Z
Modified: 2024-02-06T23:03:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-wjpc-gjf7-9938/GHSA-wjpc-gjf7-9938.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-wjpc-gjf7-9938
Finding: F027
Auto approve: 1