TYPO3 CMS Insecure Deserialization

2024-05-3014:52:14

Google

osv.dev

typo3

form framework

insecure deserialization

yaml

php

vulnerability

7 High

AI Score

Confidence

High

JSON

It has been discovered that the Form Framework (system extension form) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package yaml, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting yaml.decode_php enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).

CPENameOperatorVersion
typo3/cms-coreeq8.7.11
typo3/cms-coreeq8.7.7
typo3/cms-coreeq8.7.9
typo3/cms-coreeq8.7.10
typo3/cms-coreeq8.7.8
typo3/cms-coreeq9.2.0
typo3/cms-coreeq8.7.14
typo3/cms-coreeq9.2.1
typo3/cms-coreeq8.7.15
typo3/cms-coreeq8.7.12

Name	Operator	Version
typo3/cms-core	eq	8.7.11
typo3/cms-core	eq	8.7.7
typo3/cms-core	eq	8.7.9
typo3/cms-core	eq	8.7.10
typo3/cms-core	eq	8.7.8
typo3/cms-core	eq	9.2.0
typo3/cms-core	eq	8.7.14
typo3/cms-core	eq	9.2.1
typo3/cms-core	eq	8.7.15
typo3/cms-core	eq	8.7.12

Rows per page:

1-10 of 151

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2018-07-12-4.yaml

github.com/TYPO3-CMS/core

typo3.org/security/advisory/typo3-core-sa-2018-004

7 High

AI Score

Confidence

High

JSON