High severityNVD Advisory· Published May 20, 2014· Updated May 6, 2026

CVE-2013-4321

Description

The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cmsPackagist	>= 6.0.0, < 6.0.9	6.0.9
typo3/cmsPackagist	>= 6.1.0, < 6.1.4	6.1.4

Affected products

TYPO3/Typo312 versions
cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:typo3:typo3:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:typo3:typo3:6.0.7:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-m76j-69c2-c3m8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-4321ghsaADVISORY
typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-003/nvdVendor Advisory
typo3.org/security/advisory/typo3-core-sa-2013-003ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000