CVE-2014-6289: yag and pt_extbase extensions for TYPO3 allow remote attackers to bypass access restrictions

May 17, 2022 (updated April 14, 2025)

The Ajax dispatcher for Extbase in the Yet Another Gallery (yag) extension before 3.0.1 and Tools for Extbase development (pt_extbase) extension before 1.5.1 allows remote attackers to bypass access restrictions and execute arbitrary controller actions via unspecified vectors.

References

github.com/YAG-Gallery/yag/commit/4ab6ca121044d31b3822ab0c922053a9de8ee4ef
github.com/advisories/GHSA-46fq-683f-2jwq
github.com/punktDe/pt_extbase/commit/9969635830fcf5c3222de0fd9dc0d9a05f8d6cb1
nvd.nist.gov/vuln/detail/CVE-2014-6289
typo3.org/security/advisory/typo3-ext-sa-2014-005

Code Behaviors & Features

Detect and mitigate CVE-2014-6289 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →