Main Vulnerability Database Vulnerabilities #VU41656

Code Injection in TYPO3 - CVE-2013-4321

Published: May 20, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41656

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2013-4321

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: TYPO3

Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote #AU# to read and manipulate data.

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.

How to mitigate CVE-2013-4321

Install update from vendor's website.

Sources

https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003/

Code Injection in TYPO3 - CVE-2013-4321

Detailed vulnerability description

How to mitigate CVE-2013-4321

Sources

Please verify you're human