GHSA-8h28-f46f-m87h: Insecure Deserialization in TYPO3 CMS
It has been discovered that the Form Framework (system extension “form”) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting “yaml.decode_php” enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
References
Detect and mitigate GHSA-8h28-f46f-m87h with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →