CVE-2013-4320 — TYPO3 Improper Access Management in the File Abstraction Layer

Description

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL.

How to fix CVE-2013-4320

To remediate CVE-2013-4320, upgrade the affected package to a fixed version below.

Packagist/typo3/cms-core—upgrade to 6.0.9 or later

Is CVE-2013-4320 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0, < 6.0.9

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4320
PATCHgithub.com/TYPO3-CMS/core
WEBtypo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003