Main Vulnerability Database SB2014052005

SB2014052005 - Multiple vulnerabilities in TYPO3

Published: May 20, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014052005

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4320)

The vulnerability allows a remote #AU# to read and manipulate data.

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL.

2) Code Injection (CVE-ID: CVE-2013-4321)

The vulnerability allows a remote #AU# to read and manipulate data.

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.

Remediation

Install update from vendor's website.

References

https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003/