Severity: Critical
CVSS Score: 10
Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups. The new default fileDenyPattern is the following, which might have been overridden in the TYPO3 Install Tool. ``` \.(php[3-7]?|phpsh|phtml|pht)(\..*)?$|^\.htaccess$ ```