Name of the Vulnerable Software and Affected Versions: TYPO3 (affected versions not specified)

Description: A broken access control issue has been discovered in the Import/Export module, allowing regular backend users to access import functionality that is typically restricted to admin users or those with specific User TSconfig settings. Although database content imports are properly permission-checked, it is possible to upload files while bypassing file abstraction layer (FAL) restrictions, excluding executable files which are secured by fileDenyPattern. The known vulnerability can be exploited by injecting *.form.yaml files, potentially leading to privilege escalation and SQL injection, but this requires the Form Framework (ext:form) to be available on the website. A valid backend user account is necessary to exploit this issue.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.