Main Vulnerability Database Vulnerabilities #VU41583

Code Injection in TYPO3 - CVE-2014-3942

Published: June 3, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41583

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-3942

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: TYPO3

Affected software:
TYPO3

Detailed vulnerability description

The vulnerability allows a remote #AU# to read and manipulate data.

The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.

How to mitigate CVE-2014-3942

Install update from vendor's website.

Sources

http://lists.opensuse.org/opensuse-updates/2014-06/msg00037.html
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/
http://www.debian.org/security/2014/dsa-2942
http://www.openwall.com/lists/oss-security/2014/06/03/2

Code Injection in TYPO3 - CVE-2014-3942

Detailed vulnerability description

How to mitigate CVE-2014-3942

Sources

Please verify you're human