VulnerableCode Package Details - pkg:composer/typo3/cms-form@9.5.25

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-fbhh-atu7-e3da	Unrestricted File Upload in Form Framework ### Problem Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Type converter _UploadedFileReferenceConverter_ is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from _/fileadmin/user_upload/form\_\<random-hash\>/_ to _/fileadmin/form_uploads/<random-40-bit>_. Allowed mime-types must match expected file extensions (e.g. _application/pdf_ must be _.pdf_, and cannot be _.html_). Extbase extensions, who rely on the global availability of the _UploadedFileReferenceConverter_ must now implement a custom _TypeConverter_ to handle file uploads or explicitly implement the ext:form _UploadedFileReferenceConverter_ with appropriate setting for accepted mime-types. ### Credits Thanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core & security team members Oliver Hader & Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-002](https://typo3.org/security/advisory/typo3-core-sa-2021-002)	CVE-2021-21355 GHSA-2r6j-862c-m2v2
VCID-whf8-jc59-uub6	Broken Access Control in Form Framework ### Problem Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-003](https://typo3.org/security/advisory/typo3-core-sa-2021-003)	CVE-2021-21357 GHSA-3vg7-jw9m-pc3f

Vulnerability

Summary

Aliases

VCID-fbhh-atu7-e3da

Unrestricted File Upload in Form Framework ### Problem Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. TYPO3 Extbase extensions, which implement a file upload and do not implement a custom _TypeConverter_ to transform uploaded files into _FileReference_ domain model objects are affected by the vulnerability as well, since the _UploadedFileReferenceConverter_ of _ext:form_ handles the file upload and will accept files of any mime-type which are persisted to the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. Type converter _UploadedFileReferenceConverter_ is not registered globally anymore and just handles uploaded files within the scope of the Form Framework. Guessable storage location has changed from _/fileadmin/user_upload/form\_\<random-hash\>/_ to _/fileadmin/form_uploads/<random-40-bit>_. Allowed mime-types must match expected file extensions (e.g. _application/pdf_ must be _.pdf_, and cannot be _.html_). Extbase extensions, who rely on the global availability of the _UploadedFileReferenceConverter_ must now implement a custom _TypeConverter_ to handle file uploads or explicitly implement the ext:form _UploadedFileReferenceConverter_ with appropriate setting for accepted mime-types. ### Credits Thanks to Sebastian Michaelsen, Marc Lindemann, Oliver Eglseder, Markus Volkmer, Jakob Kunzmann, Johannes Regner, Richie Lee who reported this issue, and to TYPO3 core & security team members Oliver Hader & Benni Mack, as well as TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-002](https://typo3.org/security/advisory/typo3-core-sa-2021-002)

CVE-2021-21355
GHSA-2r6j-862c-m2v2

VCID-whf8-jc59-uub6

Broken Access Control in Form Framework ### Problem Due to improper input validation, attackers can by-pass restrictions of predefined options and submit arbitrary data in the Form Designer backend module of the Form Framework. In the default configuration of the Form Framework this allows attackers to explicitly allow arbitrary mime-types for file uploads - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, attackers can persist those files in any writable directory of the corresponding TYPO3 installation. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Richie Lee who reported this issue and to TYPO3 contributor Ralf Zimmermann who fixed the issue. ### References * [TYPO3-CORE-SA-2021-003](https://typo3.org/security/advisory/typo3-core-sa-2021-003)

CVE-2021-21357
GHSA-3vg7-jw9m-pc3f

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T17:56:55.578824+00:00	GitLab Importer	Fixing	VCID-whf8-jc59-uub6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-form/CVE-2021-21357.yml	37.0.0
2025-07-03T17:56:41.441148+00:00	GitLab Importer	Fixing	VCID-fbhh-atu7-e3da	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-form/CVE-2021-21355.yml	37.0.0
2025-07-03T16:51:18.186326+00:00	GHSA Importer	Fixing	VCID-whf8-jc59-uub6	https://github.com/advisories/GHSA-3vg7-jw9m-pc3f	37.0.0
2025-07-03T16:51:18.164843+00:00	GHSA Importer	Fixing	VCID-fbhh-atu7-e3da	https://github.com/advisories/GHSA-2r6j-862c-m2v2	37.0.0
2025-07-03T13:56:07.093324+00:00	GitLab Importer	Fixing	VCID-whf8-jc59-uub6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-form/CVE-2021-21357.yml	36.1.3
2025-07-03T13:56:06.408440+00:00	GitLab Importer	Fixing	VCID-fbhh-atu7-e3da	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/typo3/cms-form/CVE-2021-21355.yml	36.1.3
2025-07-01T12:19:10.375317+00:00	GithubOSV Importer	Fixing	VCID-fbhh-atu7-e3da	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-2r6j-862c-m2v2/GHSA-2r6j-862c-m2v2.json	36.1.3
2025-07-01T12:19:01.788655+00:00	GithubOSV Importer	Fixing	VCID-whf8-jc59-uub6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-3vg7-jw9m-pc3f/GHSA-3vg7-jw9m-pc3f.json	36.1.3