| Vulnerability Name: | CVE-2013-4250 (CCN-86510) | ||||||||
| Assigned: | 2013-07-30 | ||||||||
| Published: | 2013-07-30 | ||||||||
| Updated: | 2014-05-31 | ||||||||
| Summary: | The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file. | ||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P) 4.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-20 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2013-4250 Source: CCN Type: TYPO3 Web site TYPO3 Source: CCN Type: TYPO3-CORE-SA-2013-002 Cross-Site Scripting and Remote Code Execution Vulnerability in TYPO3 Core Source: XF Type: UNKNOWN typo3-cve20134250-code-execution(86510) Source: CONFIRM Type: Vendor Advisory https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/ Source: CCN Type: WhiteSource Vulnerability Database CVE-2013-4250 | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||