Cryptographic issues in TYPO3 - CVE-2012-3527
Published: September 6, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43632
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2012-3527
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: TYPO3
Affected software:
TYPO3
TYPO3
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."
How to mitigate CVE-2012-3527
Install update from vendor's website.
Sources
- http://osvdb.org/84773
- http://secunia.com/advisories/50287
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/
- http://www.debian.org/security/2012/dsa-2537
- http://www.openwall.com/lists/oss-security/2012/08/22/8
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77791