Insecure Unserialize Vulnerability in FLOW3

Component Type: FLOW3 Affected Versions: 1.0, master Release Date: March 28, 2012 Vulnerability Type: Insecure unserialize Severity: Medium Suggested CVSS v2.0: <link http: jvnrss.ise.chuo-u.ac.jp jtg cvss _blank>AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C (<link http: buzz.typo3.org teams security article use-of-common-vulnerability-scoring-system-in-typo3-security-advisories _blank post on cvss>What's that?) Problem Description: Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3.
To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications.  Solution: Update to <link http: news.typo3.org news article flow3-104-has-been-released _blank>FLOW3 1.0.4 which fixes the problem described! Note: The same problem applies to the Extbase Framework in TYPO3. Read the according <link http: typo3.org teams security security-bulletins flow3 typo3-flow3-sa-2012-001 typo3-core typo3-core-sa-2012-001 _top internal link in current>advisory TYPO3-CORE-SA-2012-001 for more information. Credits: Credits go to Security Team Member Helmut Hummel who discovered and reported the issue.  General Advice: Please subscribe to the FLOW3-announce mailing list.