VulnerableCode Package Details - pkg:composer/typo3/cms@8.7.5

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1d1x-7vx6-zbfw	TYPO3 Arbitrary Code Execution Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.	CVE-2017-14251 GHSA-fh4q-hxrw-cjqq
VCID-2x7t-5tdv-cuge	XSS Vulnerability Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.	TYPO3-CORE-SA-2017-004
VCID-brcm-16va-3yek	Information Disclosure in TYPO3 CMS HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint.	GHSA-c7p6-3c9c-f88q
VCID-fru4-hjhx-47ev	Information Disclosure HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint.	TYPO3-CORE-SA-2017-006
VCID-u6ar-3wzb-u3eg	Information Disclosure in TYPO3 CMS Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability.	GHSA-g46h-v2cc-6c94
VCID-vyhd-x5fe-b3aj	Information Disclosure Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability.	TYPO3-CORE-SA-2017-005
VCID-x3t4-7hux-zya8	Cross-Site Scripting in TYPO3 CMS Backend Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.	GHSA-v4qr-8h2v-qpjx
VCID-xg9s-8fv2-87hq	Arbitrary Code Execution in TYPO3 CMS Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload .pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool. ``` \.(php[3-7]?\|phpsh\|phtml\|pht)(\..)?$\|^\.htaccess$ ```	GHSA-67wg-6j7r-mqh8
VCID-yz56-gs5x-hudr	Arbitrary Code Execution Due to a missing file extension in the `fileDenyPattern`, backend user are allowed to upload *.pht files which can be executed in certain web server setups.	TYPO3-CORE-SA-2017-007

Vulnerability

Summary

Aliases

VCID-1d1x-7vx6-zbfw

TYPO3 Arbitrary Code Execution Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.

CVE-2017-14251
GHSA-fh4q-hxrw-cjqq

VCID-2x7t-5tdv-cuge

XSS Vulnerability Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

TYPO3-CORE-SA-2017-004

VCID-brcm-16va-3yek

Information Disclosure in TYPO3 CMS HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint.

GHSA-c7p6-3c9c-f88q

VCID-fru4-hjhx-47ev

Information Disclosure HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint.

TYPO3-CORE-SA-2017-006

VCID-u6ar-3wzb-u3eg

Information Disclosure in TYPO3 CMS Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability.

GHSA-g46h-v2cc-6c94

VCID-vyhd-x5fe-b3aj

Information Disclosure Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability.

TYPO3-CORE-SA-2017-005

VCID-x3t4-7hux-zya8

Cross-Site Scripting in TYPO3 CMS Backend Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

GHSA-v4qr-8h2v-qpjx

VCID-xg9s-8fv2-87hq

Arbitrary Code Execution in TYPO3 CMS Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool. ``` \.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$ ```

GHSA-67wg-6j7r-mqh8

VCID-yz56-gs5x-hudr

Arbitrary Code Execution Due to a missing file extension in the `fileDenyPattern`, backend user are allowed to upload *.pht files which can be executed in certain web server setups.

TYPO3-CORE-SA-2017-007

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:10:30.791143+00:00	GitLab Importer	Fixing	VCID-1d1x-7vx6-zbfw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/CVE-2017-14251.yml	36.1.3
2025-07-01T18:10:30.401297+00:00	GitLab Importer	Fixing	VCID-vyhd-x5fe-b3aj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/TYPO3-CORE-SA-2017-005.yml	36.1.3
2025-07-01T18:10:30.366103+00:00	GitLab Importer	Fixing	VCID-fru4-hjhx-47ev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/TYPO3-CORE-SA-2017-006.yml	36.1.3
2025-07-01T18:10:30.345181+00:00	GitLab Importer	Fixing	VCID-yz56-gs5x-hudr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/TYPO3-CORE-SA-2017-007.yml	36.1.3
2025-07-01T18:10:30.326799+00:00	GitLab Importer	Fixing	VCID-2x7t-5tdv-cuge	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms/TYPO3-CORE-SA-2017-004.yml	36.1.3
2025-07-01T14:35:06.302429+00:00	GHSA Importer	Fixing	VCID-x3t4-7hux-zya8	https://github.com/advisories/GHSA-v4qr-8h2v-qpjx	36.1.3
2025-07-01T14:35:06.033867+00:00	GHSA Importer	Fixing	VCID-u6ar-3wzb-u3eg	https://github.com/advisories/GHSA-g46h-v2cc-6c94	36.1.3
2025-07-01T14:35:05.947155+00:00	GHSA Importer	Fixing	VCID-brcm-16va-3yek	https://github.com/advisories/GHSA-c7p6-3c9c-f88q	36.1.3
2025-07-01T14:35:05.811021+00:00	GHSA Importer	Fixing	VCID-xg9s-8fv2-87hq	https://github.com/advisories/GHSA-67wg-6j7r-mqh8	36.1.3
2025-07-01T12:29:42.128427+00:00	GithubOSV Importer	Fixing	VCID-1d1x-7vx6-zbfw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fh4q-hxrw-cjqq/GHSA-fh4q-hxrw-cjqq.json	36.1.3
2025-07-01T12:11:11.127900+00:00	GithubOSV Importer	Fixing	VCID-x3t4-7hux-zya8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v4qr-8h2v-qpjx/GHSA-v4qr-8h2v-qpjx.json	36.1.3
2025-07-01T12:11:03.873356+00:00	GithubOSV Importer	Fixing	VCID-brcm-16va-3yek	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-c7p6-3c9c-f88q/GHSA-c7p6-3c9c-f88q.json	36.1.3
2025-07-01T12:10:59.377910+00:00	GithubOSV Importer	Fixing	VCID-xg9s-8fv2-87hq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-67wg-6j7r-mqh8/GHSA-67wg-6j7r-mqh8.json	36.1.3
2025-07-01T12:10:57.587279+00:00	GithubOSV Importer	Fixing	VCID-u6ar-3wzb-u3eg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-g46h-v2cc-6c94/GHSA-g46h-v2cc-6c94.json	36.1.3