CVE-2021-21355Unrestricted File Upload in Typo3

CWE-434Unrestricted File UploadCWE-552Files or Directories Accessible to External Parties4 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.4%
top 38.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Typo3Typo3 CMSTypo3 Cms-core+2 more
Timeline
PublishedMar 23

Description

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, _UploadedFileReferenceConverter_ transforming uploaded files into proper FileReference domain model objects ha

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages5 packages

Packagisttypo3/cms10.0.010.4.14+2
NVDtypo3/typo38.0.08.7.40+3
Packagisttypo3/cms-core10.0.010.4.14+2
Packagisttypo3/cms-form8.0.08.7.40+3
CVEListV5typo3/typo3.cms4 versions+3

🔴Vulnerability Details

3
CVEList
Unrestricted File Upload in Form Framework2021-03-23
GHSA
Unrestricted File Upload in Form Framework2021-03-23
OSV
Unrestricted File Upload in Form Framework2021-03-23
CVE-2021-21355 — Unrestricted File Upload in Typo3 | cvebase