TYPO3 Unrestricted File Upload Vulnerability in File Abstraction Layer

A security misconfiguration vulnerability has been identified in TYPO3's File Abstraction Layer, affecting versions 9.0.0 through 9.5.50, 10.0.0 through 10.4.49, 11.0.0 through 11.5.43, 12.0.0 through 12.4.30, and 13.0.0 through 13.4.11. The vulnerability allows unrestricted file uploads via the backend user interface, excluding files that are directly executable on the web server. This oversight enables the upload of potentially harmful files, such as executable binaries or files with misleading extensions and MIME types. While these files cannot be executed through the web server, they pose indirect risks by potentially being flagged by third-party antivirus or malware detection services, which could harm the website's availability or reputation.

Impact

The vulnerability could lead to the upload of harmful files that, while not directly executable, could be flagged by antivirus services, disrupting website availability or reputation.

Remediation

Users are advised to update TYPO3 to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS. After updating, it is recommended to configure allowed file extensions and enable the feature flags that enforce file extension consistency and validation.