Johannes Regner

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions prior to 8.7.40 TYPO3 versions prior to 9.5.25 TYPO3 versions prior to 10.4.14 TYPO3 versions prior to 11.1.1 **Description** The issue arises from the lack of ensuring file extensions belong to configured allowed mime-types, allowing attackers to upload arbitrary data with arbitrary file extensions. However, the default `fileDenyPattern` successfully blocks files like `.htaccess` or `malicious.php`. The `UploadedFileReferenceConverter` handles file uploads for extensions using the Extbase MVC framework and accepts any file mime-type, persisting files in the default location `/fileadmin/user upload/`. This allows attackers to directly reference files or guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this issue. **Recommendations** Update to TYPO3 version 8.7.40 to resolve the issue. Update to TYPO3 version 9.5.25 to resolve the issue. Update to TYPO3 version 10.4.14 to resolve the issue. Update to TYPO3 version 11.1.1 to resolve the issue. For Extbase extensions that rely on the global availability of the `UploadedFileReferenceConverter`, implement a custom `TypeConverter` to handle file uploads or explicitly implement the `ext:form` `UploadedFileReferenceConverter` with appropriate settings for accepted mime-types.