- Component Type: TYPO3 CMS
- Vulnerable subcomponent: Form Framework (ext:form)
- Release Date: July 12, 2018
- Vulnerability Type: Insecure Deserialization
- Affected Versions: 8.5.0 to 8.7.16 and 9.0.0 to 9.3.0
- Severity: None - High (depending on existence of PHP PECL package “yaml”)
- Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C/CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
- CVE: not assigned yet
Problem Description
It has been discovered that the Form Framework (system extension "form") is vulnerable to Insecure Deserialization when being used with the additional PHP PECL package “yaml”, which is capable of unserializing YAML contents to PHP objects. A valid backend user account as well as having PHP setting "yaml.decode_php" enabled is needed to exploit this vulnerability (which is the default value according to PHP documentation).
Solution
Update to TYPO3 versions 8.7.17 or 9.3.1 that fix the problem described. In general it is suggested to disable "yaml.decode_php" setting in case the PHP PECL package "yaml" is installed.
Credits
Thanks to TYPO3 core team member Oliver Hader who reported this issue and to TYPO3 core team member Ralf Zimmermann who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.