8.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-5h5v-m596-r6rf

EPSS Score

CWE

CWE-502

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5h5v-m596-r6rf

GHSA-5h5v-m596-r6rf: TYPO3 Possible Insecure Deserialization in Extbase Request Handling

It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized.

However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.

Requirements for successfully exploiting this vulnerability (all of the following):

rendering at least one Extbase plugin in the frontend
encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-5h5v-m596-r6rf

EPSS Score

CWE

CWE-502

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms-core	composer	>= 8.0.0, < 8.7.30	8.7.30
typo3/cms-core	composer	>= 9.0.0, < 9.5.12	9.5.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Extbase's request handling mechanism where user-submitted payloads are deserialized after HMAC verification. The RequestBuilder::build method is responsible for constructing the request object and processing parameters. Since the deserialization occurs after HMAC validation (which depends on the encryptionKey), a compromised key allows attackers to sign malicious payloads and trigger unsafe deserialization via PHP's unserialize() function. This matches the CWE-502 pattern where trusted validation (HMAC) becomes ineffective due to secret leakage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It **s ***n *is*ov*r** t**t r*qu*st **n*lin* in *xt**s* **n ** vuln*r**l* to ins**ur* **s*ri*liz*tion. Us*r su*mitt** p*ylo** **s to ** si*n** wit* * *orr*spon*in* *M**-S*** usin* t** s*nsitiv* TYPO* *n*ryptionK*y *s s**r*t - inv*li* or unsi*n** p*yl

Reasoning

T** vuln*r**ility st*ms *rom *xt**s*'s r*qu*st **n*lin* m****nism w**r* us*r-su*mitt** p*ylo**s *r* **s*ri*liz** **t*r *M** v*ri*i**tion. T** R*qu*st*uil**r::*uil* m*t*o* is r*sponsi*l* *or *onstru*tin* t** r*qu*st o*j**t *n* pro**ssin* p*r*m*t*rs. S

8.1

Basic Information

Concerned about an active attack path?

GHSA-5h5v-m596-r6rf: TYPO3 Possible Insecure Deserialization in Extbase Request Handling

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI