CVE-2013-4250 – typo3/cms

Package

Manager: composer
Name: typo3/cms
Vulnerable Version: >=6.0.0 <6.0.8 || >=6.1.0 <6.1.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00391 pctl0.59381

Details

TYPO3 doesn't properly check file extensions The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file.

Metadata

Created: 2022-05-17T04:43:06Z
Modified: 2025-04-14T15:47:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-54jj-pxx2-pv8h/GHSA-54jj-pxx2-pv8h.json
CWE IDs: ["CWE-20", "CWE-434"]
Alternative ID: GHSA-54jj-pxx2-pv8h
Finding: F027
Auto approve: 1