Arbitrary file upload in TYPO3 - CVE-2021-21355
Published: March 16, 2021 / Updated: May 5, 2026
Vulnerability identifier: #VU129650
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-21355
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TYPO3
TYPO3
Software vendor:
TYPO3
TYPO3
Description
The vulnerability allows a remote attacker to upload arbitrary files and disclose sensitive information.
The vulnerability exists due to unrestricted file upload in UploadedFileReferenceConverter and the form framework when handling file uploads with file extensions that do not match configured allowed mime-types. A remote attacker can upload arbitrary data with arbitrary file extensions to upload arbitrary files and disclose sensitive information.
Uploaded files are stored in a predictable default location and often keep the submitted filename, which can enable direct access to uploaded files and guessing filenames used by other individuals.
Remediation
Install security update from vendor's website.