Arbitrary file upload in TYPO3 - CVE-2021-21357
Published: March 16, 2021 / Updated: May 5, 2026
Vulnerability identifier: #VU129649
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21357
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TYPO3
TYPO3
Software vendor:
TYPO3
TYPO3
Description
The vulnerability allows a remote user to upload arbitrary files and write them to arbitrary writable directories.
The vulnerability exists due to improper input validation in the Form Designer backend module of the Form Framework when processing submitted form configuration data. A remote user can bypass restrictions of predefined options to upload arbitrary files and write them to arbitrary writable directories.
Exploitation requires a valid backend user account with access to the form module.
Remediation
Install security update from vendor's website.