| Vulnerability Name: | CVE-2013-4321 (CCN-86928) | ||||||||
| Assigned: | 2013-09-04 | ||||||||
| Published: | 2013-09-04 | ||||||||
| Updated: | 2014-05-21 | ||||||||
| Summary: | The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. Note: this vulnerability exists because of an incomplete fix for CVE-2013-4250. | ||||||||
| CVSS v3 Severity: | 5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P) 4.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
4.8 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-94 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2013-4321 Source: CCN Type: SA54679 TYPO3 Security Bypass Vulnerabilities Source: CCN Type: TYPO3 Web Site TYPO3 Source: CCN Type: TYPO3-CORE-SA-2013-003 Incomplete Access Management and Remote Code Execution Vulnerability in TYPO3 Core Source: CCN Type: OSVDB ID: 96914 TYPO3 File Abstraction Layer (FAL) Crafted Name Denied File Extension Bypass Source: CCN Type: BID-62257 TYPO3 File Abstraction Layer Remote PHP Code Execution Vulnerability Source: XF Type: UNKNOWN typo3-fal-filerename-security-bypass(86928) Source: CONFIRM Type: Vendor Advisory https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003/ | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||