CVE-2021-21355

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 8.7.40 TYPO3 versions prior to 9.5.25 TYPO3 versions prior to 10.4.14 TYPO3 versions prior to 11.1.1

Description The issue arises from the lack of ensuring file extensions belong to configured allowed mime-types, allowing attackers to upload arbitrary data with arbitrary file extensions. However, the default fileDenyPattern successfully blocks files like .htaccess or malicious.php. The UploadedFileReferenceConverter handles file uploads for extensions using the Extbase MVC framework and accepts any file mime-type, persisting files in the default location /fileadmin/user upload/. This allows attackers to directly reference files or guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this issue.

Recommendations Update to TYPO3 version 8.7.40 to resolve the issue. Update to TYPO3 version 9.5.25 to resolve the issue. Update to TYPO3 version 10.4.14 to resolve the issue. Update to TYPO3 version 11.1.1 to resolve the issue. For Extbase extensions that rely on the global availability of the UploadedFileReferenceConverter, implement a custom TypeConverter to handle file uploads or explicitly implement the ext:form UploadedFileReferenceConverter with appropriate settings for accepted mime-types.