Name of the Vulnerable Software and Affected Versions: TYPO3 (affected versions not specified)

Description: The issue allows backend users to upload certain file types, including *.phar, *.shtml, *.pl, or *.cgi files, due to missing file extensions in the TYPO3 CONF VARS configuration. These files can be executed in specific web server setups, potentially leading to security issues. A valid backend user account is required to exploit this issue. It is noted that derivatives of Debian GNU Linux handle *.phar files as PHP applications since PHP 7.1 and 7.2. The *.shtml file extension is related to server-side includes, which are not enabled by default in most Linux distributions. The *.pl and *.cgi file extensions require additional handlers to be configured, which is not typically the case in most common distributions.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.