view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19,
4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated
backend users to unserialize arbitrary objects and possibly execute
arbitrary PHP code via an unspecified parameter, related to a “missing
signature (HMAC).”