Arbitrary file upload in TYPO3 - CVE-2021-21355

 

Arbitrary file upload in TYPO3 - CVE-2021-21355

Published: March 16, 2021 / Updated: May 5, 2026


Vulnerability identifier: #VU129650
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-21355
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: TYPO3
Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote attacker to upload arbitrary files and disclose sensitive information.

The vulnerability exists due to unrestricted file upload in UploadedFileReferenceConverter and the form framework when handling file uploads with file extensions that do not match configured allowed mime-types. A remote attacker can upload arbitrary data with arbitrary file extensions to upload arbitrary files and disclose sensitive information.

Uploaded files are stored in a predictable default location and often keep the submitted filename, which can enable direct access to uploaded files and guessing filenames used by other individuals.


How to mitigate CVE-2021-21355

Install security update from vendor's website.

Sources