CVE-2021-21357

Name of the Vulnerable Software and Affected Versions TYPO3 versions prior to 8.7.40, 9.5.25, 10.4.14, 11.1.1

Description The issue arises from improper input validation, allowing attackers to bypass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. This enables attackers to explicitly allow arbitrary mime-types for file uploads. Although the default fileDenyPattern successfully blocks files like .htaccess or malicious.php, attackers can still persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability.

Recommendations Update to TYPO3 version 8.7.40 to fix the issue. Update to TYPO3 version 9.5.25 to fix the issue. Update to TYPO3 version 10.4.14 to fix the issue. Update to TYPO3 version 11.1.1 to fix the issue.