Skip to content

Insecure Unserialize Vulnerability in FLOW3

Moderate severity GitHub Reviewed Published Jun 5, 2024 to the GitHub Advisory Database

Package

composer typo3/flow (Composer)

Affected versions

>= 1.0.0, < 1.0.4

Patched versions

1.0.4

Description

Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.

To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.

References

Published to the GitHub Advisory Database Jun 5, 2024
Reviewed Jun 5, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-m2hp-5x78-74mg

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.