GHSA-67wg-6j7r-mqh8: Arbitrary Code Execution in TYPO3 CMS
Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool.
\.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$
References
Detect and mitigate GHSA-67wg-6j7r-mqh8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →