CVE-2013-4250: TYPO3 doesn't properly check file extensions

May 17, 2022 (updated April 14, 2025)

The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file.

References

github.com/TYPO3/typo3
github.com/advisories/GHSA-54jj-pxx2-pv8h
nvd.nist.gov/vuln/detail/CVE-2013-4250
typo3.org/security/advisory/typo3-core-sa-2013-002

Code Behaviors & Features

Detect and mitigate CVE-2013-4250 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →