GHSA-8h28-f46f-m87h: Insecure Deserialization in TYPO3 CMS

June 5, 2024

It has been discovered that the Form Framework (system extension “form”) is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting “yaml.decode_php” enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-07-12-4.yaml
github.com/TYPO3/typo3
github.com/advisories/GHSA-8h28-f46f-m87h
typo3.org/security/advisory/typo3-core-sa-2018-004

Detect and mitigate GHSA-8h28-f46f-m87h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →