CVE-2013-7075 — Deserialization of Untrusted Data in CMS

CWE-310 CWE-502 — Deserialization of Untrusted Data5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 38.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 CMS Typo3

Timeline

PublishedDec 23

Latest updateMay 17

Description

The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a "missing signature."

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶Packagisttypo3/cms4.5.0 — 4.5.32+3

▶NVDtypo3/typo368 versions+67

🔴Vulnerability Details

OSV

TYPO3 vulnerable to Insecure Unserialize via Content Editing Wizards component↗2022-05-17

▶

GHSA

TYPO3 vulnerable to Insecure Unserialize via Content Editing Wizards component↗2022-05-17

▶

OSV

CVE-2013-7075: The Content Editing Wizards component in TYPO3 4↗2013-12-23

▶

CVEList

CVE-2013-7075: The Content Editing Wizards component in TYPO3 4↗2013-12-23

▶