PT-2015-6634 · Typo3 · Typo3 Frontend User Upload (Feupload) Extension

Torben Hansen

Published

2015-06-16

Updated

2016-12-07

CVE-2015-4607

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions TYPO3 Frontend User Upload (feupload) extension version 0.5.0 and earlier

Description The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension using a frontend form, then accessing it via a direct request to the file in the fileadmin folder.

Recommendations For versions 0.5.0 and earlier, consider disabling the file upload functionality in the Frontend User Upload (feupload) extension until a patch is available. Restrict access to the fileadmin folder to minimize the risk of exploitation. Avoid using executable file extensions in uploads to prevent arbitrary code execution.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2015-4607

Affected Products

Typo3 Frontend User Upload (Feupload) Extension

PT-2015-6634 · Typo3 · Typo3 Frontend User Upload (Feupload) Extension

CVE-2015-4607

Related Identifiers

Affected Products

References · 3