Skip to content

Typo3 Arbitrary file upload and XML External Entity processing

Moderate severity GitHub Reviewed Published Jun 5, 2024 to the GitHub Advisory Database • Updated Jun 5, 2024

Package

composer typo3/flow (Composer)

Affected versions

>= 2.3.0, < 2.3.7
>= 3.0.0, < 3.0.1

Patched versions

2.3.7
3.0.1

Description

It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …).

Note: The upload of files is only possible if the application built on Flow provides means to do so, and whether or not the upload of files poses a risk is dependent on the system setup. If uploaded script files are not executed by the server, there is no risk. In versions prior to 3.0.0 the upload of files with the extension php was blocked.

In Flow 2.3.0 to 2.3.6 a potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.

References

Published to the GitHub Advisory Database Jun 5, 2024
Reviewed Jun 5, 2024
Last updated Jun 5, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-2p4f-vc9q-r5vp

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.