Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zY3F3LXB4Z3Itamhybc3Msg
TYPO3 Backend Command Injection via Shell Metacharacters in Uploaded File Name
The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.
Permalink: https://github.com/advisories/GHSA-3cqw-pxgr-jhrmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zY3F3LXB4Z3Itamhybc3Msg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 12 months ago
EPSS Percentage: 0.00358
EPSS Percentile: 0.7184
Identifiers: GHSA-3cqw-pxgr-jhrm, CVE-2009-3631
References:
- https://nvd.nist.gov/vuln/detail/CVE-2009-3631
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53923
- http://marc.info/?l=oss-security&m=125632856206736&w=2
- http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
- https://web.archive.org/web/20101223093042/http://www.securityfocus.com/bid/36801
- https://github.com/advisories/GHSA-3cqw-pxgr-jhrm
Affected Packages
packagist:typo3/cms-backend
Dependent packages: 350Dependent repositories: 512
Downloads: 8,590,205 total
Affected Version Ranges: >= 4.3alpha1, < 4.3beta2, >= 4.2.0, < 4.2.10, >= 4.1.0, < 4.1.13, <= 4.0.13
Fixed in: 4.3beta2, 4.2.10, 4.1.13,
All affected versions: 8.7.7, 8.7.8, 8.7.9, 8.7.10, 8.7.11, 8.7.12, 8.7.13, 8.7.14, 8.7.15, 8.7.16, 8.7.17, 8.7.18, 8.7.19, 8.7.20, 8.7.21, 8.7.22, 8.7.23, 8.7.24, 8.7.25, 8.7.26, 8.7.27, 8.7.28, 8.7.29, 8.7.30, 8.7.31, 8.7.32, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 9.5.11, 9.5.12, 9.5.13, 9.5.14, 9.5.15, 9.5.16, 9.5.17, 9.5.18, 9.5.19, 9.5.20, 9.5.21, 9.5.22, 9.5.23, 9.5.24, 9.5.25, 9.5.26, 9.5.27, 9.5.28, 9.5.29, 9.5.30, 9.5.31, 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.4.12, 10.4.13, 10.4.14, 10.4.15, 10.4.16, 10.4.17, 10.4.18, 10.4.19, 10.4.20, 10.4.21, 10.4.22, 10.4.23, 10.4.24, 10.4.25, 10.4.26, 10.4.27, 10.4.28, 10.4.29, 10.4.30, 10.4.31, 10.4.32, 10.4.33, 10.4.34, 10.4.36, 10.4.37, 11.0.0, 11.1.0, 11.1.1, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.5.12, 11.5.13, 11.5.14, 11.5.15, 11.5.16, 11.5.17, 11.5.18, 11.5.19, 11.5.20, 11.5.21, 11.5.22, 11.5.23, 11.5.24, 11.5.25, 11.5.26, 11.5.27, 11.5.28, 11.5.29, 11.5.30, 11.5.31, 11.5.32, 11.5.33, 11.5.34, 11.5.35, 11.5.36, 11.5.37, 11.5.38, 11.5.39, 11.5.40, 11.5.41, 12.0.0, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.4.9, 12.4.10, 12.4.11, 12.4.12, 12.4.13, 12.4.14, 12.4.15, 12.4.16, 12.4.17, 12.4.18, 12.4.19, 12.4.20, 12.4.21, 12.4.22, 12.4.23, 12.4.24, 12.4.25, 12.4.26, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1, 13.4.2, 13.4.3, 13.4.4
All unaffected versions: