-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe TYPO3 security advisory explicitly names FormEngine and DataHandler as vulnerable components. Both components handle serialized data structures (FlexForms) in backend operations. The vulnerability stems from processing user-controlled serialized data without proper validation. DataHandler's process_datamap handles form submissions containing serialized FlexForm values, while FormEngine's methods retrieve and process these values during form rendering. The patch in versions 8.7.27/9.5.8 likely added validation checks or replaced unsafe deserialization methods. The high confidence comes from the direct correlation between the advisory's component references and these core data processing functions.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms-core | composer | >= 8.0.0, < 8.7.27 | 8.7.27 |
| typo3/cms-core | composer | >= 9.0.0, < 9.5.8 | 9.5.8 |
| typo3/cms | composer | >= 8.0.0, < 8.7.27 | 8.7.27 |
| typo3/cms | composer | >= 9.0.0, < 9.5.8 | 9.5.8 |
PHPPHPOngoing coverage of React2Shell