Insecure deserialization In typo3/cms-core
Description
Deserialization of untrusted data in Symfony In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | 9.5.8 | ||
packagist | 3.4.26, 4.1.12, 4.2.7 | ||
packagist | 2.8.50, 3.4.26, 4.1.12, 4.2.7 | ||
packagist | 2.8.50, 3.4.26, 4.1.12, 4.2.7 | ||
 debian 11 | 3.4.22+dfsg-2 | ||
packagist | 9.5.8 | ||
debian 13 | 3.4.22+dfsg-2 | ||
debian 12 | 3.4.22+dfsg-2 | ||
debian 14 | 3.4.22+dfsg-2 |
Aliases
1. 2. 3. 4. 5. 6.
References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27.