Deserialization of Untrusted Data Affecting typo3/cms package, versions >=10.0.0, <10.4.2 >=9.0.0, <9.5.17


0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 0.48% (76th percentile)
Expand this section
NVD
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-TYPO3CMS-568947
  • published 12 May 2020
  • disclosed 12 May 2020
  • credit Oliver Hader

How to fix?

Upgrade typo3/cms to version 10.4.2, 9.5.17 or higher.

Overview

typo3/cms is a free open source Content Management Framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of 3rd party components this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.