7.1 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:C/I:N/A:N
0.085 Low
EPSS
Percentile
94.5%
The fileDenyPattern functionality in the PHP file inclusion protection API
in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5
does not properly filter file types, which allows remote attackers to
bypass intended access restrictions and access arbitrary PHP files, as
demonstrated using path traversal sequences with %00 null bytes and
CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.