CVE-2012-3527: TYPO3 allows remote authenticated backend users to unserialize arbitrary objects

May 17, 2022 (updated April 12, 2025)

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a “missing signature (HMAC).”

References

exchange.xforce.ibmcloud.com/vulnerabilities/77791
github.com/TYPO3/typo3
github.com/advisories/GHSA-m4hw-r893-xh4g
nvd.nist.gov/vuln/detail/CVE-2012-3527
web.archive.org/web/20120817233148/http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004

Code Behaviors & Features

Detect and mitigate CVE-2012-3527 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →