TYPO3 CMS Insecure Deserialization

It has been discovered that the Form Framework (system extension form) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package yaml, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting yaml.decode_php enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).

Published: May 30, 2024
Updated: Jun 27, 2024
GHSA: GHSA-96jg-pmc4-cx39
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
typo3 / cms-core	8.5.0	8.7.17
typo3 / cms-core	9.0.0	9.3.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2018-07-12-4.yaml
https://typo3.org/security/advisory/typo3-core-sa-2018-004

Vulnerability Database

TYPO3 CMS Insecure Deserialization

Deep Security Visibility Without the Complexity