GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname

GHSA-7mr7-4f54-vcx5: HTTP Client uses incorrect token after refresh

GHSA-hfq9-hggm-c56q: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream

GHSA-2w5v-x29g-jw7j: Hashicorp Nomad Incorrect Authorization vulnerability

GHSA-3m9x-2qfj-xvq4: PHPExcel XXE Vulnerability

Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool.
```
\.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$
```

**Arbitrary Code Execution in TYPO3 CMS**

Critical severity GitHub Reviewed Published Jun 5, 2024 to the GitHub Advisory Database • Updated Jun 5, 2024

Headline

GHSA-67wg-6j7r-mqh8: Arbitrary Code Execution in TYPO3 CMS

ghsa: Latest News