Описание
Insecure Deserialization in TYPO3 CMS
It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
Пакеты
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 8.5.0, < 8.7.17
8.7.17
Наименование
typo3/cms
composer
Затронутые версииВерсия исправления
>= 9.0.0, < 9.3.2
9.3.2
Дефекты
CWE-502
Дефекты
CWE-502