The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument." To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the TYPO3 Core. However, there might be exploitable objects within third party extensions.

The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument."

The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unser ...

Typo3 Extbase Framework Unsafe Deserialization