Lucene search
GoogleOSV:GHSA-2RXH-H6H9-QRQCHistoryMay 13, 2020 - 11:18 p.m.
Class destructors causing side-effects when being unserialized in TYPO3 CMS
2020-05-1323:18:38
Google
osv.dev
10
0.001 Low
EPSS
Percentile
44.0%
Calling unserialize() on malicious user-submitted content can result in the following scenarios:
- trigger deletion of arbitrary directory in file system (if writable for web server)
- trigger message submission via email using identity of web site (mail relay)
Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.
Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.
References
References
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml
github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc
nvd.nist.gov/vuln/detail/CVE-2020-11066
typo3.org/security/advisory/typo3-core-sa-2020-004
Related
cve
cve
CVE-2020-11066
2020-05-14 00:15:11
veracode
veracode
Insecure Deserialization
2020-05-14 04:41:41
nvd
nvd
CVE-2020-11066
2020-05-14 00:15:11
friendsofphp
friendsofphp
github
github
Class destructors causing side-effects when being unserialized in TYPO3 CMS
2020-05-13 23:18:38
typo3
typo3
Class destructors causing side-effects when being unserialized
2020-05-12 00:00:00
prion
prion
Deserialization of untrusted data
2020-05-14 00:15:00
osv
osv
CVE-2020-11066
2020-05-14 00:15:11
BIT-typo3-2020-11066
2024-03-06 11:11:59
cvelist
cvelist
nessus
nessus
TYPO3 9.x < 9.5.17 / 10.x < 10.4.2 Multiple Vulnerabilities
2020-07-13 00:00:00
openvas
openvas
freebsd
freebsd
typo3 -- multiple vulnerabilities
2020-05-12 00:00:00