VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-1d1x-7vx6-zbfw

Essentials
Severities (13)
References (8)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1d1x-7vx6-zbfw
Aliases	CVE-2017-14251 GHSA-fh4q-hxrw-cjqq
Summary	TYPO3 Arbitrary Code Execution Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.php in TYPO3 7.6.0 to 7.6.21 and 8.0.0 to 8.7.4 allows remote authenticated users to upload files with a .pht extension and consequently execute arbitrary PHP code.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-434	Unrestricted Upload of File with Dangerous Type
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	8.8	http://blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.html
generic_textual	HIGH	http://blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.html
epss	0.03536	https://api.first.org/data/v1/epss?cve=CVE-2017-14251
cvssv3.1	8.8	https://github.com/TYPO3/typo3
generic_textual	HIGH	https://github.com/TYPO3/typo3
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2017-14251
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2017-14251
cvssv3.1	8.8	https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007
generic_textual	HIGH	https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007
cvssv3.1	8.8	http://www.securityfocus.com/bid/100620
generic_textual	HIGH	http://www.securityfocus.com/bid/100620
cvssv3.1	8.8	http://www.securitytracker.com/id/1039295
generic_textual	HIGH	http://www.securitytracker.com/id/1039295

Reference id	Reference type	URL
		http://blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.html
		https://api.first.org/data/v1/epss?cve=CVE-2017-14251
		https://github.com/TYPO3/typo3
		https://nvd.nist.gov/vuln/detail/CVE-2017-14251
		https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007
		https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007/
		http://www.securityfocus.com/bid/100620
		http://www.securitytracker.com/id/1039295

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://blog.emaze.net/2017/12/typo3-unrestricted-file-upload-remote.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/TYPO3/typo3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-14251

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2017-007

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/100620

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.securitytracker.com/id/1039295

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.87154
EPSS Score	0.03536
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:29:42.079713+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fh4q-hxrw-cjqq/GHSA-fh4q-hxrw-cjqq.json	36.1.3