Lucene search

GitHub Advisory DatabaseGHSA-47WW-MQ32-G4XW

HistoryMay 17, 2022 - 4:54 a.m.

TYPO3 vulnerable to Insecure Unserialize via Content Editing Wizards component

2022-05-1704:54:41

CWE-502

GitHub Advisory Database

github.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

53.6%

JSON

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a “missing signature.”

Affected configurations

Vulners

Node

typo3cms_poll_system_extensionRange≤6.1.6

typo3cms_poll_system_extensionRange≤6.0.11

typo3cms_poll_system_extensionRange≤4.7.16

typo3cms_poll_system_extensionRange≤4.5.31

CPENameOperatorVersion
typo3/cmsle6.1.6
typo3/cmsle6.0.11
typo3/cmsle4.7.16
typo3/cmsle4.5.31

Name	Operator	Version
typo3/cms	le	6.1.6
typo3/cms	le	6.0.11
typo3/cms	le	4.7.16
typo3/cms	le	4.5.31

References

seclists.org/oss-sec/2013/q4/473

typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-004/

www.debian.org/security/2014/dsa-2834

github.com/advisories/GHSA-47ww-mq32-g4xw

nvd.nist.gov/vuln/detail/CVE-2013-7075

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

53.6%

JSON

Related for GHSA-47WW-MQ32-G4XW