CVE-2012-3527 — TYPO3 allows remote authenticated backend users to unserialize arbitrary objects

Description

view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."

How to fix CVE-2012-3527

To remediate CVE-2012-3527, upgrade the affected package to a fixed version below.

Debian/typo3-src—upgrade to 4.3.9+dfsg1-1+squeeze5 or later
Packagist/typo3/cms—upgrade to 4.5.19 or later

Is CVE-2012-3527 being exploited?

Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.3.9+dfsg1-1+squeeze5
>= 4.5.0, < 4.5.19

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-3527
PATCHgithub.com/TYPO3/typo3
WEBexchange.xforce.ibmcloud.com/vulnerabilities/77791
WEBweb.archive.org/web/20120817233148/http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004