TYPO3 CMS Form Framework Mixed-Case Extension Upload Vulnerability Allowing Privilege Escalation

A vulnerability exists in the TYPO3 CMS Form Framework (ext:form) that allows backend users with file write permissions to upload form definition files with mixed-case extensions, such as .FORM.YAML. This upload bypasses the Form Framework's standard restrictions. Once uploaded, these maliciously crafted form definition files can execute arbitrary SQL statements. This capability could be exploited to escalate privileges by creating administrative backend user accounts. The vulnerability affects TYPO3 CMS versions prior to 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation by allowing the creation of administrative backend user accounts.

Reproduction

To reproduce this vulnerability, upload a form definition file with a mixed-case extension, such as .FORM.YAML, to a TYPO3 backend instance where the Form Framework is active. Ensure that the file is uploaded by a user with file write permissions. Once the file is uploaded, it can be used to execute arbitrary SQL statements, potentially leading to the creation of an administrative user account.

Remediation

Update TYPO3 to versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS.