-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| typo3/cms-core | composer | >= 8.0.0, < 8.7.30 | 8.7.30 |
| typo3/cms-core | composer | >= 9.0.0, < 9.5.12 | 9.5.12 |
The vulnerability stems from Extbase's request handling mechanism where user-submitted payloads are deserialized after HMAC verification. The RequestBuilder::build method is responsible for constructing the request object and processing parameters. Since the deserialization occurs after HMAC validation (which depends on the encryptionKey), a compromised key allows attackers to sign malicious payloads and trigger unsafe deserialization via PHP's unserialize() function. This matches the CWE-502 pattern where trusted validation (HMAC) becomes ineffective due to secret leakage.
Ongoing coverage of React2Shell