Meta
- CVSS v3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H/E:F/RL:O/RC:C
- CWE-502
Problem
Calling unserialize() on malicious user-submitted content can result in the following scenarios:
- trigger deletion of arbitrary directory in file system (if writable for web server)
- trigger message submission via email using identity of web site (mail relay)
Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.
Solution
Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.
Credits
Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue.
References
Problem
Calling
unserialize()on malicious user-submitted content can result in the following scenarios:Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.
Solution
Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described.
Credits
Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue.
References