Headline
GHSA-cc97-g92w-jm65: TYPO3 CMS Insecure Deserialization & Arbitrary Code Execution
Phar files (formerly known as “PHP archives”) can act als self extracting archives which leads to the fact that source code is executed when Phar files are invoked. The Phar file format is not limited to be stored with a dedicated file extension - “bundle.phar” would be valid as well as “bundle.txt” would be. This way, Phar files can be obfuscated as image or text file which would not be denied from being uploaded and persisted to a TYPO3 installation. Due to a missing sanitization of user input, those Phar files can be invoked by manipulated URLs in TYPO3 backend forms. A valid backend user account is needed to exploit this vulnerability. In theory the attack vector would be possible in the TYPO3 frontend as well, however no functional exploit has been identified so far.
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-cc97-g92w-jm65
TYPO3 CMS Insecure Deserialization & Arbitrary Code Execution
Critical severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024
Package
composer typo3/cms-core (Composer)
Affected versions
>= 8.0.0, < 8.7.17
>= 9.0.0, < 9.3.2
>= 7.0.0, < 7.6.30
Patched versions
8.7.17
9.3.2
7.6.30
Description
Published to the GitHub Advisory Database
May 30, 2024
Last updated
May 30, 2024