Christian Toffolo

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 4.5.x through 4.5.8 TYPO3 versions 4.6.x through 4.6.1 TYPO3 development versions of 4.7 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `BACK PATH` parameter. This is a result of a PHP remote file inclusion vulnerability in the workspaces system extension, specifically in Classes/Controller/AbstractController.php. **Recommendations** For TYPO3 versions 4.5.x through 4.5.8, update to version 4.5.9 or later. For TYPO3 versions 4.6.x through 4.6.1, update to version 4.6.2 or later. For TYPO3 development versions of 4.7, consider avoiding the use of the `BACK PATH` parameter until a fixed version is available. As a temporary workaround, consider restricting access to the affected AbstractController.php file in the workspaces system extension.