8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-hh95-5xm5-v8v7

EPSS Score

CWE

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hh95-5xm5-v8v7

GHSA-hh95-5xm5-v8v7: TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling

It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized.

However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.

Requirements for successfully exploiting this vulnerability (all of the following):

rendering at least one Extbase plugin in the frontend
encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-hh95-5xm5-v8v7

GHSA-hh95-5xm5-v8v7:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-hh95-5xm5-v8v7

EPSS Score

CWE

Published

6/7/2024

Updated

6/7/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
typo3/cms	composer	>= 8.0.0, < 8.7.30	8.7.30
typo3/cms	composer	>= 9.0.0, < 9.5.12	9.5.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure use of unserialize() in Extbase's request handling. The patches explicitly add 'allowed_classes' => false to these calls, indicating they were previously vulnerable to object injection. The functions process user-controlled data (after HMAC validation), and without class restrictions, a compromised encryptionKey allows attackers to deserialize malicious objects. The direct correlation between the vulnerability description and the patch changes confirms these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-hh95-5xm5-v8v7: TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling

GHSA-hh95-5xm5-v8v7:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

8.1

8.1

GHSA-hh95-5xm5-v8v7: TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI