Miggo Logo
Miggo Vulnerability Database
CVE-2011-4902

CVE-2011-4902: Typo3 Arbitrary File Delete

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2011-4902
GHSA ID
GHSA-9vxq-mxw5-mcgp
EPSS Score
0.35503%
CWE
CWE-20
Published
4/22/2022
Updated
1/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
typo3/cmscomposer< 4.3.124.3.12
typo3/cmscomposer>= 4.4.0, < 4.4.94.4.9
typo3/cmscomposer>= 4.5.0, < 4.5.44.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The TYPO3 security advisory explicitly identifies an 'Unserialize() vulnerability' where user input is deserialized, enabling arbitrary file deletion. The core issue is improper input validation (CWE-20) when processing serialized data. While the exact file/function isn't named in public sources, TYPO3's GeneralUtility class is a common location for core utilities like unserialize() operations. The high confidence stems from the direct match between the described attack vector (untrusted deserialization) and PHP's unserialize() function's known risks when used with untrusted input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

TYPO* ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to **l*t* *r*itr*ry *il*s on t** w**s*rv*r.

Reasoning

T** TYPO* s**urity **visory *xpli*itly i**nti*i*s *n 'Uns*ri*liz*() vuln*r**ility' w**r* us*r input is **s*ri*liz**, *n**lin* *r*itr*ry *il* **l*tion. T** *or* issu* is improp*r input v*li**tion (*W*-**) w**n pro**ssin* s*ri*liz** **t*. W*il* t** *x*