- Release Date: May 07, 2019
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Vulnerability Type: Arbitrary File Upload
- Affected Versions: 4.2.1 and below
- Severity: High
- Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
- CVE: not assigned yet
The extension contains the 3rd party component “Uploadify”, which includes a demo script for uploading files with the file extensions “jpg”, “jpeg”, “gif” and “png” to the server. Also, a demo script is present, which allows to check for the existence of a given filename.
An updated version 4.2.2 is available from the TYPO3 Extension Manager and at https://extensions.typo3.org/extension/download/yag/4.2.2/zip/
Users of the extension are advised to update the extension as soon as possible.
Additionally extension users are advised to check the folder /uploads for images/files, that may have been uploaded through the “Uploadify” demo script.
Credits go to Denis Werner who discovered and reported the vulnerability.