CVE-2017-14251

Name of the Vulnerable Software and Affected Versions TYPO3 versions 7.6.0 through 7.6.21 TYPO3 versions 8.0.0 through 8.7.4

Description The issue allows remote authenticated users to upload files with a .pht extension, which can lead to the execution of arbitrary PHP code due to an Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php.

Recommendations For TYPO3 versions 7.6.0 through 7.6.21, update to a version outside of this range to mitigate the risk. For TYPO3 versions 8.0.0 through 8.7.4, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting file uploads to prevent the upload of files with a .pht extension until a patch is available.