typo3/cms-core is vulnerable toUnrestricted Upload of File with Dangerous Type. The vulnerability is due to missing file extensions in $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern']
allowing attackers to upload files like *.phar
, *.shtml
, *.pl
, or *.cgi
, which can be executed in certain web server setups.