Typo3 : Security Vulnerabilities, CVEs, Published In May 2014
The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.
Max CVSS
6.5
EPSS Score
0.25%
Published
2014-05-20
Updated
2014-05-21
The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.9 and 6.1.x before 6.1.4 does not properly check permissions, which allows remote authenticated users to create or read arbitrary files via a crafted URL.
Max CVSS
5.5
EPSS Score
0.13%
Published
2014-05-20
Updated
2014-05-21
The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file.
Max CVSS
6.5
EPSS Score
0.17%
Published
2014-05-20
Updated
2014-05-31
The Backend History Module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 does not properly restrict access, which allows remote authenticated editors to read the history of arbitrary records via a crafted URL.
Max CVSS
4.0
EPSS Score
0.08%
Published
2014-05-20
Updated
2014-05-21
4 vulnerabilities found