CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-27CH-RVFM-9RF6
Vulnerability from github – Published: 2023-03-09 03:30 – Updated: 2023-03-15 15:30onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/file/download.
{
"affected": [],
"aliases": [
"CVE-2023-26948"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-09T01:15:00Z",
"severity": "HIGH"
},
"details": "onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vulnerability via the component /admin1/file/download.",
"id": "GHSA-27ch-rvfm-9rf6",
"modified": "2023-03-15T15:30:23Z",
"published": "2023-03-09T03:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26948"
},
{
"type": "WEB",
"url": "https://github.com/keheying/onekeyadmin/issues/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-27Q2-F36G-HMV6
Vulnerability from github – Published: 2022-11-19 00:30 – Updated: 2022-11-21 21:30Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-44583"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-18T23:15:00Z",
"severity": "HIGH"
},
"details": "Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin \u003c= 3.6.15 on WordPress.",
"id": "GHSA-27q2-f36g-hmv6",
"modified": "2022-11-21T21:30:17Z",
"published": "2022-11-19T00:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44583"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/watchtowerhq/wordpress-watchtowerhq-plugin-3-6-15-unauth-arbitrary-file-download-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/watchtowerhq/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-287W-267V-H5RM
Vulnerability from github – Published: 2026-06-03 12:30 – Updated: 2026-06-03 12:30Files or directories accessible to external parties vulnerability in ABB T-MAC Plus.
This issue affects T-MAC Plus: 4.0-24.
{
"affected": [],
"aliases": [
"CVE-2025-14771"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T11:16:17Z",
"severity": "HIGH"
},
"details": "Files or directories accessible to external parties vulnerability in ABB T-MAC Plus.\n\nThis issue affects T-MAC Plus: 4.0-24.",
"id": "GHSA-287w-267v-h5rm",
"modified": "2026-06-03T12:30:26Z",
"published": "2026-06-03T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14771"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A7840\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-29RJ-95HW-FHM9
Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 15:30The DeepL Pro API translation plugin WordPress plugin before 1.7.5 discloses sensitive information in its log files (which are publicly accessible), including DeepL API key.
{
"affected": [],
"aliases": [
"CVE-2022-3691"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-358",
"CWE-532",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-21T11:15:00Z",
"severity": "HIGH"
},
"details": "The DeepL Pro API translation plugin WordPress plugin before 1.7.5 discloses sensitive information in its log files (which are publicly accessible), including DeepL API key.",
"id": "GHSA-29rj-95hw-fhm9",
"modified": "2022-11-23T15:30:21Z",
"published": "2022-11-21T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3691"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/4248a0af-1b7e-4e29-8129-3f40c1d0c560"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2J39-QCJM-428W
Vulnerability from github – Published: 2023-12-07 09:30 – Updated: 2025-02-13 19:28An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50164"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-07T21:34:55Z",
"nvd_published_at": "2023-12-07T09:15:07Z",
"severity": "CRITICAL"
},
"details": "An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.\nUsers are recommended to upgrade to versions Struts 2.5.33 or\u00a0Struts 6.3.0.2 or greater to\u00a0fix this issue.",
"id": "GHSA-2j39-qcjm-428w",
"modified": "2025-02-13T19:28:02Z",
"published": "2023-12-07T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50164"
},
{
"type": "WEB",
"url": "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163"
},
{
"type": "WEB",
"url": "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/WW/S2-066"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/struts"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231214-0010"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/12/07/1"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/07/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Struts vulnerable to path traversal"
}
GHSA-2JHM-QP48-HV5J
Vulnerability from github – Published: 2022-02-09 21:56 – Updated: 2022-02-09 21:56Impact
Any user with SCRIPT right (EDIT right before XWiki 7.4) can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString:
$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")
Patches
It has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1.
Workarounds
The only workaround is to give SCRIPT right only to trusted users.
References
https://jira.xwiki.org/browse/XWIKI-18870
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at our security mailing list
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 13.6"
},
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "13.6-rc-1"
},
{
"fixed": "13.7-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.10.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23621"
],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-09T21:56:05Z",
"nvd_published_at": "2022-02-09T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAny user with SCRIPT right (EDIT right before XWiki 7.4) can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString:\n\n```\n$xwiki.invokeServletAndReturnAsString(\"/WEB-INF/xwiki.cfg\")\n```\n\n### Patches\n\nIt has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1.\n\n### Workarounds\n\nThe only workaround is to give SCRIPT right only to trusted users.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-18870\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org)\n* Email us at [our security mailing list](mailto:security@xwiki.org)",
"id": "GHSA-2jhm-qp48-hv5j",
"modified": "2022-02-09T21:56:05Z",
"published": "2022-02-09T21:56:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2jhm-qp48-hv5j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23621"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/df8bd49b5a4d87a427002c6535fb5b1746ff117a"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-18870"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Missing authorization in xwiki-platform"
}
GHSA-2MFQ-W3FM-WXM3
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14Emby Server is a personal media server with apps on many devices. In Emby Server on Windows there is a set of arbitrary file read vulnerabilities. This vulnerability is known to exist in version 4.6.4.0 and may not be patched in later versions. Known vulnerable routes are /Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer, /Images/Ratings/theme/name and /Images/MediaInfo/theme/name. For more details including proof of concept code, refer to the referenced GHSL-2021-051. This issue may lead to unauthorized access to the system especially when Emby Server is configured to be accessible from the Internet.
{
"affected": [],
"aliases": [
"CVE-2021-32833"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-09T02:15:00Z",
"severity": "HIGH"
},
"details": "Emby Server is a personal media server with apps on many devices. In Emby Server on Windows there is a set of arbitrary file read vulnerabilities. This vulnerability is known to exist in version 4.6.4.0 and may not be patched in later versions. Known vulnerable routes are /Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer, /Images/Ratings/theme/name and /Images/MediaInfo/theme/name. For more details including proof of concept code, refer to the referenced GHSL-2021-051. This issue may lead to unauthorized access to the system especially when Emby Server is configured to be accessible from the Internet.",
"id": "GHSA-2mfq-w3fm-wxm3",
"modified": "2022-05-24T19:14:07Z",
"published": "2022-05-24T19:14:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32833"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2021-051-emby"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2Q78-VV73-5VR2
Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-09-01 00:00A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.
{
"affected": [],
"aliases": [
"CVE-2021-4112"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-25T20:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.",
"id": "GHSA-2q78-vv73-5vr2",
"modified": "2022-09-01T00:00:25Z",
"published": "2022-08-26T00:03:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4112"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:0460"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:0474"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:0482"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-4112"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2028121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2Q7V-X8XX-MPJX
Vulnerability from github – Published: 2024-08-20 12:30 – Updated: 2024-09-03 21:31Priority – CWE-552: Files or Directories Accessible to External Parties
{
"affected": [],
"aliases": [
"CVE-2024-41699"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-20T12:15:06Z",
"severity": "MODERATE"
},
"details": "Priority \u2013 CWE-552: Files or Directories Accessible to External Parties",
"id": "GHSA-2q7v-x8xx-mpjx",
"modified": "2024-09-03T21:31:12Z",
"published": "2024-08-20T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41699"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2R6J-862C-M2V2
Vulnerability from github – Published: 2021-03-23 01:53 – Updated: 2021-03-29 18:01Problem
Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default fileDenyPattern successfully blocked files like .htaccess or malicious.php.
TYPO3 Extbase extensions, which implement a file upload and do not implement a custom TypeConverter to transform uploaded files into FileReference domain model objects are affected by the vulnerability as well, since the UploadedFileReferenceConverter of ext:form handles the file upload and will accept files of any mime-type which are persisted to the default location.
In any way, uploaded files are placed in the default location /fileadmin/user_upload/, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information.
No authentication is required to exploit this vulnerability.
Solution
Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.
Type converter UploadedFileReferenceConverter is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from /fileadmin/user_upload/form_\<random-hash>/ to /fileadmin/form_uploads/. Allowed mime-types must match expected file extensions (e.g. application/pdf must be .pdf, and cannot be .html).
Extbase extensions, who rely on the global availability of the UploadedFileReferenceConverter must now implement a custom TypeConverter to handle file uploads or explicitly implement the ext:form UploadedFileReferenceConverter with appropriate setting for accepted mime-types.
Credits
Thanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core & security team members Oliver Hader & Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue.
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.7.39"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-form"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.7.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.5.24"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-form"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.4.13"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-form"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.1.0"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-form"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21355"
],
"database_specific": {
"cwe_ids": [
"CWE-434",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-23T01:41:38Z",
"nvd_published_at": "2021-03-23T02:15:00Z",
"severity": "HIGH"
},
"details": "\n### Problem\nDue to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_.\n\nTYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location.\n\nIn any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information.\n\nNo authentication is required to exploit this vulnerability.\n\n### Solution\nUpdate to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.\n\nType converter _UploadedFileReferenceConverter_ is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from _/fileadmin/user_upload/form\\_\\\u003crandom-hash\\\u003e/_ to _/fileadmin/form_uploads/\u003crandom-40-bit\u003e_. Allowed mime-types must match expected file extensions (e.g. _application/pdf_ must be _.pdf_, and cannot be _.html_).\n\nExtbase extensions, who rely on the global availability of the _UploadedFileReferenceConverter_ must now implement a custom _TypeConverter_ to handle file uploads or explicitly implement the ext:form _UploadedFileReferenceConverter_ with appropriate setting for accepted mime-types.\n\n### Credits\nThanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core \u0026 security team members Oliver Hader \u0026 Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-002](https://typo3.org/security/advisory/typo3-core-sa-2021-002)",
"id": "GHSA-2r6j-862c-m2v2",
"modified": "2021-03-29T18:01:54Z",
"published": "2021-03-23T01:53:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21355"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21355.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21355.yaml"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/typo3/cms-form"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2021-002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "Unrestricted File Upload in Form Framework"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.