Search for vulnerabilities
Vulnerability details: VCID-zhvr-3e6u-2uc6
Vulnerability ID VCID-zhvr-3e6u-2uc6
Aliases GHSA-hh95-5xm5-v8v7
Summary TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized. Requirements for successfully exploiting this vulnerability (all of the following): - rendering at least one Extbase plugin in the frontend - encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-hh95-5xm5-v8v7
cvssv3.1 8.1 https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-7.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-7.yaml
cvssv3.1 8.1 https://github.com/TYPO3/typo3
generic_textual HIGH https://github.com/TYPO3/typo3
cvssv3.1 8.1 https://github.com/TYPO3/typo3/commit/57e4ed35a6e58521a931855e702b2688b3bc3d62
generic_textual HIGH https://github.com/TYPO3/typo3/commit/57e4ed35a6e58521a931855e702b2688b3bc3d62
cvssv3.1 8.1 https://github.com/TYPO3/typo3/commit/b1626ad8fd4aebedc15e424a76f86094d78b2564
generic_textual HIGH https://github.com/TYPO3/typo3/commit/b1626ad8fd4aebedc15e424a76f86094d78b2564
cvssv3.1 8.1 https://typo3.org/security/advisory/typo3-psa-2019-011
generic_textual HIGH https://typo3.org/security/advisory/typo3-psa-2019-011
Reference id Reference type URL
https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-7.yaml
https://github.com/TYPO3/typo3
https://github.com/TYPO3/typo3/commit/57e4ed35a6e58521a931855e702b2688b3bc3d62
https://github.com/TYPO3/typo3/commit/b1626ad8fd4aebedc15e424a76f86094d78b2564
https://typo3.org/security/advisory/typo3-psa-2019-011
GHSA-hh95-5xm5-v8v7 https://github.com/advisories/GHSA-hh95-5xm5-v8v7
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2019-12-17-7.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/TYPO3/typo3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/TYPO3/typo3/commit/57e4ed35a6e58521a931855e702b2688b3bc3d62
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/TYPO3/typo3/commit/b1626ad8fd4aebedc15e424a76f86094d78b2564
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://typo3.org/security/advisory/typo3-psa-2019-011
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2025-07-01T12:11:07.373723+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-hh95-5xm5-v8v7/GHSA-hh95-5xm5-v8v7.json 36.1.3