GHSA-m76j-69c2-c3m8

Source

https://github.com/advisories/GHSA-m76j-69c2-c3m8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m76j-69c2-c3m8/GHSA-m76j-69c2-c3m8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m76j-69c2-c3m8

Aliases

CVE-2013-4321

Published

2022-05-17T04:43:27Z

Modified

2025-04-14T16:42:07.266750Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

TYPO3 vulnerable to remote authenticated arbitrary code execution

Details

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.

Database specific

{
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2014-05-20T14:55:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2025-04-14T16:00:18Z"
}

References

Affected packages

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m76j-69c2-c3m8/GHSA-m76j-69c2-c3m8.json"

Packagist / typo3/cms

Package

Name: typo3/cms
Purl: pkg:composer/typo3/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m76j-69c2-c3m8/GHSA-m76j-69c2-c3m8.json"