Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05NmpnLXBtYzQtY3gzOc4AA8jw

TYPO3 CMS Insecure Deserialization

It has been discovered that the Form Framework (system extension form) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package yaml, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting yaml.decode_php enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).

Permalink: https://github.com/advisories/GHSA-96jg-pmc4-cx39
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NmpnLXBtYzQtY3gzOc4AA8jw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-96jg-pmc4-cx39
References: Blast Radius: 26.9

Affected Packages

packagist:typo3/cms-core
Dependent packages: 3,067
Dependent repositories: 3,856
Downloads: 8,389,906 total
Affected Version Ranges: >= 9.0.0, < 9.3.1, >= 8.5.0, < 8.7.17
Fixed in: 9.3.1, 8.7.17
All affected versions: 8.7.7, 8.7.8, 8.7.9, 8.7.10, 8.7.11, 8.7.12, 8.7.13, 8.7.14, 8.7.15, 8.7.16, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.3.0
All unaffected versions: 8.7.17, 8.7.18, 8.7.19, 8.7.20, 8.7.21, 8.7.22, 8.7.23, 8.7.24, 8.7.25, 8.7.26, 8.7.27, 8.7.28, 8.7.29, 8.7.30, 8.7.31, 8.7.32, 9.3.1, 9.3.2, 9.3.3, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 9.5.11, 9.5.12, 9.5.13, 9.5.14, 9.5.15, 9.5.16, 9.5.17, 9.5.18, 9.5.19, 9.5.20, 9.5.21, 9.5.22, 9.5.23, 9.5.24, 9.5.25, 9.5.26, 9.5.27, 9.5.28, 9.5.29, 9.5.30, 9.5.31, 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.4.12, 10.4.13, 10.4.14, 10.4.15, 10.4.16, 10.4.17, 10.4.18, 10.4.19, 10.4.20, 10.4.21, 10.4.22, 10.4.23, 10.4.24, 10.4.25, 10.4.26, 10.4.27, 10.4.28, 10.4.29, 10.4.30, 10.4.31, 10.4.32, 10.4.33, 10.4.34, 10.4.35, 10.4.36, 10.4.37, 11.0.0, 11.1.0, 11.1.1, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.5.12, 11.5.13, 11.5.14, 11.5.15, 11.5.16, 11.5.17, 11.5.18, 11.5.19, 11.5.20, 11.5.21, 11.5.22, 11.5.23, 11.5.24, 11.5.25, 11.5.26, 11.5.27, 11.5.28, 11.5.29, 11.5.30, 11.5.31, 11.5.32, 11.5.33, 11.5.34, 11.5.35, 11.5.36, 11.5.37, 11.5.38, 11.5.39, 11.5.40, 11.5.41, 12.0.0, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.4.9, 12.4.10, 12.4.11, 12.4.12, 12.4.13, 12.4.14, 12.4.15, 12.4.16, 12.4.17, 12.4.18, 12.4.19, 12.4.20, 12.4.21, 12.4.22, 12.4.23, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1