CVE-2020-11066
HIGH8.7EPSS 0.53%Class destructors causing side-effects when being unserialized in TYPO3 CMS
發布日:2020/5/13修改日:2026/3/13
描述
Calling unserialize() on malicious user-submitted content can result in the following scenarios: - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of web site (mail relay) Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-004
受影響套件(3)
- Bitnami/typo3>= 9.0.0, < 9.5.17, >= 10.0.0, < 10.4.2
- Packagist/typo3/cms>= 10.0.0, < 10.4.2
- Packagist/typo3/cms-core>= 9.0.0, < 9.5.17
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-11066
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml
- WEBhttps://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc
- WEBhttps://typo3.org/security/advisory/typo3-core-sa-2020-004