GHSA-7h74-7vcw-4mwp – neos/flow

Package

Manager: composer
Name: neos/flow
Vulnerable Version: >=1.0.0 <1.0.4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Insecure deserialize Vulnerability in FLOW3 Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3. To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.

Metadata

Created: 2024-05-17T22:32:12Z
Modified: 2024-05-17T22:32:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7h74-7vcw-4mwp/GHSA-7h74-7vcw-4mwp.json
CWE IDs: []
Alternative ID: N/A
Finding: F096
Auto approve: 1