CVE-2019-19849
HIGHTYPO3 < 8.7.30, 9.x < 9.5.12, 10.x < 10.2.2 - Authenticated Remote Code Execution via Insecure Deserialization
Title source: llmDescription
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel (Backend Module: DB Check) installed, with a valid backend user who has administrator privileges. The other exploitable scenario requires having the system extension ext:sys_action installed, with a valid backend user who has limited privileges.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://typo3.org/security/advisory/typo3-core-sa-2019-026/
Vendor Advisory x_refsource_misc
https://review.typo3.org/q/%2522Resolves:+%252389005%2522+topic:security
Scores
CVSS v3
8.8
EPSS
0.0075
EPSS Percentile
73.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (3)
typo3/cms
10.0.0 - 10.2.1Packagist
typo3/cms-core
10.0.0 - 10.2.1Packagist
typo3/typo3
< 8.7.30
Published
Dec 17, 2019
Tracked Since
Feb 18, 2026