GHSA-7h74-7vcw-4mwp: Insecure deserialize Vulnerability in FLOW3

May 17, 2024

Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.

To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.

References

github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2012-03-28.yaml
github.com/advisories/GHSA-7h74-7vcw-4mwp
github.com/neos/flow
www.neos.io/blog/flow-sa-2012-001.html

Detect and mitigate GHSA-7h74-7vcw-4mwp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →