| Vulnerability Name: | CVE-2013-4320 (CCN-86927) | ||||||||
| Assigned: | 2013-09-04 | ||||||||
| Published: | 2013-09-04 | ||||||||
| Updated: | 2014-05-21 | ||||||||
| Summary: | The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL. | ||||||||
| CVSS v3 Severity: | 5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N) 4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
4.8 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2013-4320 Source: CCN Type: SA54679 TYPO3 Security Bypass Vulnerabilities Source: CCN Type: TYPO3 Web Site TYPO3 Source: CCN Type: TYPO3-CORE-SA-2013-003 Incomplete Access Management and Remote Code Execution Vulnerability in TYPO3 Core Source: CCN Type: OSVDB ID: 96915 TYPO3 File Abstraction Layer (FAL) Permission Implementation Weakness Arbitrary File Manipulation Source: CCN Type: BID-62255 TYPO3 File Handling Security Bypass Vulnerability Source: XF Type: UNKNOWN typo3-fal-security-bypass(86927) Source: CONFIRM Type: Vendor Advisory https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003/ | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||