Описание
TYPO3 CMS Insecure Deserialization
It has been discovered that the Form Framework (system extension form) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package yaml, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting yaml.decode_php enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
Пакеты
Наименование
typo3/cms-core
composer
Затронутые версииВерсия исправления
>= 8.5.0, < 8.7.17
8.7.17
Наименование
typo3/cms-core
composer
Затронутые версииВерсия исправления
>= 9.0.0, < 9.3.1
9.3.1
7.5 High
CVSS3
Дефекты
CWE-502
7.5 High
CVSS3
Дефекты
CWE-502