PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTypo3 Pharstreamwrapper
APPTypo32.0.0 – 2.1.1 (bez)3.0.0 – 3.1.1 (bez)
Related vulnerabilities
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does n...
In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been d...
It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are...
TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authenticati...
Changing backend users' passwords via the user settings module results in storing the cleartext password in th...