High severity8.8NVD Advisory· Published Sep 11, 2017· Updated May 13, 2026
CVE-2017-14251
CVE-2017-14251
Description
Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cmsPackagist | >= 7.6.0, < 7.6.22 | 7.6.22 |
typo3/cmsPackagist | >= 8.0.0, < 8.7.5 | 8.7.5 |
Affected products
42cpe:2.3:a:typo3:typo3:7.6.0:*:*:*:*:*:*:*+ 41 more
- cpe:2.3:a:typo3:typo3:7.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.13:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.14:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.15:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.16:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.17:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.18:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.19:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.20:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.21:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:7.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:8.7.4:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007/nvdExploitVendor Advisory
- www.securityfocus.com/bid/100620nvdThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1039295nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-fh4q-hxrw-cjqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-14251ghsaADVISORY
- blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.htmlnvdWEB
- typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007ghsaWEB
News mentions
0No linked articles in our index yet.