CVE-2013-4250
TYPO3 doesn't properly check file extensions
EPSS 0.39%
Description
The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file.
How to fix CVE-2013-4250
To remediate CVE-2013-4250, upgrade the affected package to a fixed version below.
- Packagist/typo3/cms—upgrade to 6.0.8 or later
Is CVE-2013-4250 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 6.0.0, < 6.0.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |