Headline
GHSA-m2hp-5x78-74mg: Insecure Unserialize Vulnerability in FLOW3
Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.
Package
composer typo3/flow (Composer)
Affected versions
>= 1.0.0, < 1.0.4
Patched versions
1.0.4
Description
Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.
References
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/flow/2012-03-28.yaml
- https://www.neos.io/blog/flow-sa-2012-001.html
Published to the GitHub Advisory Database
Jun 5, 2024
Reviewed
Jun 5, 2024