php · typo3/cms-coreCritical
typo3/cms-core: File upload bypass via mixed-case extensions leads to SQL injection and privilege escalation
Backend users with file write permissions can upload form definition files with mixed-case extensions (e.
What changed
Backend users with file write permissions can upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass upload restrictions, allowing execution of arbitrary SQL statements and privilege escalation to create admin accounts.
Who it affects
TYPO3 CMS versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS and earlier.
What to do today
Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS immediately.
The trail
Collected→
Audited→
Written→
Published