logo

Database

Insecure deserialization In typo3/cms-core

Description

TYPO3 CMS Insecure Deserialization It has been discovered that the Form Framework (system extension form) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package yaml, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting yaml.decode_php enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-96jg-pmc4-cx39

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2018-07-12-4.yaml2. https://typo3.org/security/advisory/typo3-core-sa-2018-004

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.