CVE-2013-4321: TYPO3 vulnerable to remote authenticated arbitrary code execution

May 17, 2022 (updated April 14, 2025)

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.

References

github.com/TYPO3/typo3
github.com/advisories/GHSA-m76j-69c2-c3m8
nvd.nist.gov/vuln/detail/CVE-2013-4321
typo3.org/security/advisory/typo3-core-sa-2013-003

Code Behaviors & Features

Detect and mitigate CVE-2013-4321 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →