CVE-2013-4321

EPSS 0.48%

TYPO3 vulnerable to remote authenticated arbitrary code execution

Published: 5/17/2022Modified: 4/14/2025

Description

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.

Affected packages (1)

Packagist/typo3/cms>= 6.0.0, < 6.0.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-4321
PATCHhttps://github.com/TYPO3/typo3
WEBhttps://typo3.org/security/advisory/typo3-core-sa-2013-003