CVE-2019-19849: Deserialization of Untrusted Data

December 17, 2019 (updated December 23, 2019)

It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges.

References

nvd.nist.gov/vuln/detail/CVE-2019-19849
review.typo3.org/q/%2522Resolves:+%252389005%2522+topic:security
typo3.org/security/advisory/typo3-core-sa-2019-026/

Detect and mitigate CVE-2019-19849 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →