Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| typo3/cms(Packagist) | 7.6.0 | 7.6.22 | N/A |
| typo3/cms(Packagist) | 8.0.0 | 8.7.5 | N/A |
CVSS Metrics
