CVE-2008-2717 — TYPO3 Unrestricted File Upload vulnerability

Description

TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.

How to fix CVE-2008-2717

To remediate CVE-2008-2717, upgrade the affected package to a fixed version below.

Debian/typo3-src—upgrade to 4.0.2+debian-5 or later
Packagist/typo3/cms-core—upgrade to 4.0.9 or later

Is CVE-2008-2717 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.2+debian-5
>= 4.0.0, < 4.0.9

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-2717
PATCHgithub.com/TYPO3-CMS/core
WEBbuzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern
WEBexchange.xforce.ibmcloud.com/vulnerabilities/42988