Описание
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
Ссылки
- Third Party AdvisoryVDB Entry
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Mailing ListThird Party Advisory
- Issue TrackingMailing ListThird Party Advisory
- Vendor Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party AdvisoryVDB Entry
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Mailing ListThird Party Advisory
Уязвимые конфигурации
Одно из
Одно из
Одно из
Одно из
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
Связанные уязвимости
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1 ...
Directory Traversal in typo3/phar-stream-wrapper
Уязвимость пакета PharStreamWrapper системы управления контентом TYPO3, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2