Arbitrary file upload in TYPO3 - CVE-2021-21357

 

Arbitrary file upload in TYPO3 - CVE-2021-21357

Published: March 16, 2021 / Updated: May 5, 2026


Vulnerability identifier: #VU129649
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21357
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: TYPO3
Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote user to upload arbitrary files and write them to arbitrary writable directories.

The vulnerability exists due to improper input validation in the Form Designer backend module of the Form Framework when processing submitted form configuration data. A remote user can bypass restrictions of predefined options to upload arbitrary files and write them to arbitrary writable directories.

Exploitation requires a valid backend user account with access to the form module.


How to mitigate CVE-2021-21357

Install security update from vendor's website.

Sources