CVE-2021-21355
published 2021-03-23CVE-2021-21355: TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file…
PriorityP352high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EPSS
1.63%
73.3th percentile
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, _UploadedFileReferenceConverter_ transforming uploaded files into proper FileReference domain model objects handles possible file uploads for other extensions as well - given those extensions use the Extbase MVC framework, make use of FileReference items in their direct or inherited domain model definitions and did not implement their own type converter. In case this scenario applies, _UploadedFileReferenceConverter_ accepts any file mime-type and persists files in the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. This is fixed in versions 8.7.40, 9.5.25, 10.4.14, 11.1.1.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms | >= 10.0.0 < 10.4.14 | 10.4.14 |
| typo3 | cms | >= 11.0.0 < 11.1.1 | 11.1.1 |
| typo3 | cms | >= 9.0.0 < 9.5.25 | 9.5.25 |
| typo3 | cms-core | >= 10.0.0 < 10.4.14 | 10.4.14 |
| typo3 | cms-core | >= 11.0.0 < 11.1.1 | 11.1.1 |
| typo3 | cms-core | >= 9.0.0 < 9.5.25 | 9.5.25 |
| typo3 | cms-form | >= 10.0.0 < 10.4.14 | 10.4.14 |
| typo3 | cms-form | >= 11.0.0 < 11.1.1 | 11.1.1 |
| typo3 | cms-form | >= 8.0.0 < 8.7.40 | 8.7.40 |
| typo3 | cms-form | >= 9.0.0 < 9.5.25 | 9.5.25 |
| typo3 | typo3 | >= 10.0.0 < 10.4.14 | 10.4.14 |
| typo3 | typo3 | >= 11.0.0 < 11.1.1 | 11.1.1 |
| typo3 | typo3 | >= 8.0.0 < 8.7.40 | 8.7.40 |
| typo3 | typo3 | >= 9.0.0 < 9.5.25 | 9.5.25 |
| typo3 | typo3.cms | — | — |
| typo3 | typo3.cms | — | — |
| typo3 | typo3.cms | — | — |
| typo3 | typo3.cms | — | — |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unrestricted File Upload in Form Framework
ghsa·2021-03-23
CVE-2021-21355 [HIGH] CWE-434 Unrestricted File Upload in Form Framework
Unrestricted File Upload in Form Framework
### Problem
Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_.
TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location.
In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios ke
OSV
Unrestricted File Upload in Form Framework
osv·2021-03-23
CVE-2021-21355 [HIGH] Unrestricted File Upload in Form Framework
Unrestricted File Upload in Form Framework
### Problem
Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_.
TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location.
In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios ke
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2https://packagist.org/packages/typo3/cms-formhttps://typo3.org/security/advisory/typo3-core-sa-2021-002https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2https://packagist.org/packages/typo3/cms-formhttps://typo3.org/security/advisory/typo3-core-sa-2021-002
2021-03-23
Published