CVE-2012-3527

TYPO3 4.5.0-4.5.18 - Authenticated Remote Code Execution via Unsafe Deserialization in Backend Help System

Title source: llm

Description

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."

References (6)

Core 6

Core References

Vendor Advisory x_refsource_confirm

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2012/dsa-2537

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2012/08/22/8

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/77791

Broken Link vdb-entry x_refsource_osvdb

http://osvdb.org/84773

Not Applicable third-party-advisory x_refsource_secunia

http://secunia.com/advisories/50287

Scores

EPSS 0.0207

EPSS Percentile 84.1%

Details

CWE

CWE-502

Status published

Products (4)

debian/debian_linux 6.0

debian/debian_linux 7.0

typo3/cms 4.5.0 - 4.5.19Packagist

typo3/typo3 4.5.0 - 4.5.19

Published Sep 05, 2012

Tracked Since Feb 18, 2026