CVE-2012-3527

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."

Published: Sep 6, 2012
Updated: Apr 13, 2023
CVE: CVE-2012-3527
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.6
AV:N/AC:H/Au:S/C:P/I:P/A:P

CWEs:

CWE-502
CWE-310

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
typo3 / typo3	4.7.0	4.7.4
typo3 / typo3	4.6.0	4.6.12
typo3 / typo3	4.5.0	4.5.19
debian / debian_linux	7.0	7.0.x
debian / debian_linux	6.0	6.0.x

http://osvdb.org/84773
http://secunia.com/advisories/50287
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/
http://www.debian.org/security/2012/dsa-2537
http://www.openwall.com/lists/oss-security/2012/08/22/8
https://exchange.xforce.ibmcloud.com/vulnerabilities/77791

Vulnerability Database

290,020

CVE-2012-3527