CVE-2012-3527 — Deserialization of Untrusted Data in Typo3

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

4.6MEDIUMNVD

EPSS

2.1%

top 16.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 CMS Debian Linux

Timeline

PublishedSep 5

Latest updateMay 17

Description

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages2 packages

▶Packagisttypo3/cms4.5.0 — 4.5.19+2

▶NVDtypo3/typo34.5.0 — 4.5.19+2

Also affects: Debian Linux 6.0, 7.0

🔴Vulnerability Details

OSV

TYPO3 allows remote authenticated backend users to unserialize arbitrary objects↗2022-05-17

▶

GHSA

TYPO3 allows remote authenticated backend users to unserialize arbitrary objects↗2022-05-17

▶

CVEList

CVE-2012-3527: view_help↗2012-09-05

▶