CVE-2010-3663 — TYPO3 Arbitrary Code Execution vulnerability on the backend

Description

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains an insecure default value of the variable fileDenyPattern which could allow remote attackers to execute arbitrary code on the backend.

How to fix CVE-2010-3663

To remediate CVE-2010-3663, upgrade the affected package to a fixed version below.

Packagist/typo3/cms-backend—upgrade to 4.1.14 or later

Is CVE-2010-3663 being exploited?

Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.1.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-3663
PATCHgithub.com/TYPO3-CMS/backend
WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=590719
WEBsecurity-tracker.debian.org/tracker/CVE-2010-3663
WEB