GHSA-ppgf-8745-8pgx – typo3/cms

Package

Manager: composer
Name: typo3/cms
Vulnerable Version: >=7.0.0 <7.6.30 || >=8.0.0 <8.7.17 || >=9.0.0 <9.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS Phar files (formerly known as "PHP archives") can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - "bundle.phar" would be valid as well as "bundle.txt" would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far.

Metadata

Created: 2024-06-05T16:41:48Z
Modified: 2024-06-05T16:41:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-ppgf-8745-8pgx/GHSA-ppgf-8745-8pgx.json
CWE IDs: ["CWE-502"]
Alternative ID: N/A
Finding: F096
Auto approve: 1