CVE-2013-4321 – typo3/cms

Package

Manager: composer
Name: typo3/cms
Vulnerable Version: >=6.0.0 <6.0.9 || >=6.1.0 <6.1.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00485 pctl0.64385

Details

TYPO3 vulnerable to remote authenticated arbitrary code execution The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.

Metadata

Created: 2022-05-17T04:43:27Z
Modified: 2025-04-14T16:00:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m76j-69c2-c3m8/GHSA-m76j-69c2-c3m8.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-m76j-69c2-c3m8
Finding: F422
Auto approve: 1