CVE-2014-3942: TYPO3 Color Picker Wizard component allows remote authenticated editors to execute arbitrary PHP code

May 14, 2022 (updated April 14, 2025)

The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.

References

github.com/TYPO3/typo3
github.com/advisories/GHSA-55g3-fjwm-w2c8
nvd.nist.gov/vuln/detail/CVE-2014-3942
typo3.org/security/advisory/typo3-core-sa-2014-001

Code Behaviors & Features

Detect and mitigate CVE-2014-3942 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →