GHSA-96jg-pmc4-cx39: TYPO3 CMS Insecure Deserialization

May 30, 2024

It has been discovered that the Form Framework (system extension form) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package yaml, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting yaml.decode_php enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2018-07-12-4.yaml
github.com/TYPO3-CMS/core
github.com/advisories/GHSA-96jg-pmc4-cx39
typo3.org/security/advisory/typo3-core-sa-2018-004

Detect and mitigate GHSA-96jg-pmc4-cx39 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →