CVE-2013-4250 - Vulnerability Details

Vendors	Products
Typo3	Typo3

Link	Providers
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-07-30T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-05-23T13:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4250", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/", "refsource": "CONFIRM", "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:38:01.887Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4250", "datePublished": "2014-05-20T14:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:38:01.887Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

datePublic : 2013-07-30T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2014-05-23T13:57:00 (string)

orgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

shortName : redhat (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/ (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : secalert@redhat.com (string)

ID : CVE-2013-4250 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/ (string)

refsource : CONFIRM (string)

url : https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/ (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-06T16:38:01.887Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/ (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

assignerShortName : redhat (string)

cveId : CVE-2013-4250 (string)

datePublished : 2014-05-20T14:00:00 (string)

dateReserved : 2013-06-12T00:00:00 (string)

dateUpdated : 2024-08-06T16:38:01.887Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "84C095F8-000A-4A8D-81DE-047810345A15", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "976AAF6F-BF03-40B7-B7D2-22101BD857D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "6E98D0D9-D9AE-44F7-8233-F92EB330B152", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "36EA784A-7C3A-41DA-B444-D01E3BC144BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "7294AA8B-0CD3-47A2-91DC-A882F7F3BDFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "4D28DD85-FBB3-4DD4-B525-7AFD32BE55F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "80C21E07-5083-4C86-AA9D-FCB73F636060", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "5DAE1BB4-2DBD-489E-B3F9-88CF414EAC2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "A862C28E-B1B9-4541-A559-D0BD16E575B4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:*", "matchCriteriaId": "C140F242-CF7C-4CB6-A358-5C8DB0F26DAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "81EAC0BA-B6AC-42BA-AEEE-946E1FBD770B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typo3:typo3:6.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "AD31180A-8BD6-49AC-A758-5FA4C9A7B4C8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file."}, {"lang": "es", "value": "El (1) componente de carga de archivos y (2) la Capa de Abstracci\u00f3n de Archivo (FAL) en TYPO3 versiones 6.0.x anteriores a 6.0.8 y versiones 6.1.x anteriores a 6.1.3, no comprueba apropiadamente las extensiones de archivo, que le permiten a editores autenticados remotos ejecutar c\u00f3digo PHP arbitrario mediante la carga de un archivo .php."}], "id": "CVE-2013-4250", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-05-20T14:55:04.147", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 84C095F8-000A-4A8D-81DE-047810345A15 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 976AAF6F-BF03-40B7-B7D2-22101BD857D7 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.2:*:*:*:*:*:*:* (string)

matchCriteriaId : 6E98D0D9-D9AE-44F7-8233-F92EB330B152 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 36EA784A-7C3A-41DA-B444-D01E3BC144BB (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 7294AA8B-0CD3-47A2-91DC-A882F7F3BDFC (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 4D28DD85-FBB3-4DD4-B525-7AFD32BE55F6 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.6:*:*:*:*:*:*:* (string)

matchCriteriaId : 80C21E07-5083-4C86-AA9D-FCB73F636060 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.7:*:*:*:*:*:*:* (string)

matchCriteriaId : 5DAE1BB4-2DBD-489E-B3F9-88CF414EAC2C (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:typo3:typo3:6.0.9:*:*:*:*:*:*:* (string)

matchCriteriaId : A862C28E-B1B9-4541-A559-D0BD16E575B4 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

1 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:* (string)

matchCriteriaId : C140F242-CF7C-4CB6-A358-5C8DB0F26DAA (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:typo3:typo3:6.1.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 81EAC0BA-B6AC-42BA-AEEE-946E1FBD770B (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:typo3:typo3:6.1.2:*:*:*:*:*:*:* (string)

matchCriteriaId : AD31180A-8BD6-49AC-A758-5FA4C9A7B4C8 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : The (1) file upload component and (2) File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file. (string)

}

1 : { »

lang : es (string)

value : El (1) componente de carga de archivos y (2) la Capa de Abstracción de Archivo (FAL) en TYPO3 versiones 6.0.x anteriores a 6.0.8 y versiones 6.1.x anteriores a 6.1.3, no comprueba apropiadamente las extensiones de archivo, que le permiten a editores autenticados remotos ejecutar código PHP arbitrario mediante la carga de un archivo .php. (string)

}

]

id : CVE-2013-4250 (string)

lastModified : 2025-04-12T10:46:40.837 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : PARTIAL (string)

baseScore : 6.5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:S/C:P/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 6.4 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

}

published : 2014-05-20T14:55:04.147 (string)

references : [ »

0 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/ (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/ (string)

}

]

sourceIdentifier : secalert@redhat.com (string)

vulnStatus : Deferred (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-20 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object