CVE-2012-3527
First published: Wed Sep 05 2012(Updated: )
view_help.php in the backend help system in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allows remote authenticated backend users to unserialize arbitrary objects and possibly execute arbitrary PHP code via an unspecified parameter, related to a "missing signature (HMAC)."
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| TYPO3 | =4.5 | |
| TYPO3 | =4.5.0 | |
| TYPO3 | =4.5.1 | |
| TYPO3 | =4.5.2 | |
| TYPO3 | =4.5.3 | |
| TYPO3 | =4.5.4 | |
| TYPO3 | =4.5.5 | |
| TYPO3 | =4.5.6 | |
| TYPO3 | =4.5.7 | |
| TYPO3 | =4.5.8 | |
| TYPO3 | =4.5.9 | |
| TYPO3 | =4.5.10 | |
| TYPO3 | =4.5.11 | |
| TYPO3 | =4.5.12 | |
| TYPO3 | =4.5.13 | |
| TYPO3 | =4.5.14 | |
| TYPO3 | =4.5.15 | |
| TYPO3 | =4.5.16 | |
| TYPO3 | =4.5.17 | |
| TYPO3 | =4.5.18 | |
| TYPO3 | =4.6 | |
| TYPO3 | =4.6.0 | |
| TYPO3 | =4.6.1 | |
| TYPO3 | =4.6.2 | |
| TYPO3 | =4.6.3 | |
| TYPO3 | =4.6.4 | |
| TYPO3 | =4.6.5 | |
| TYPO3 | =4.6.6 | |
| TYPO3 | =4.6.7 | |
| TYPO3 | =4.6.8 | |
| TYPO3 | =4.6.9 | |
| TYPO3 | =4.6.10 | |
| TYPO3 | =4.6.11 | |
| TYPO3 | =4.7 | |
| TYPO3 | =4.7.0 | |
| TYPO3 | =4.7.1 | |
| TYPO3 | =4.7.2 | |
| TYPO3 | =4.7.3 | |
| TYPO3 | >=4.5.0<4.5.19 | |
| TYPO3 | >=4.6.0<4.6.12 | |
| TYPO3 | >=4.7.0<4.7.4 | |
| Debian Linux | =6.0 | |
| Debian Linux | =7.0 | |
| composer/typo3/cms | >=4.7.0<4.7.4 | 4.7.4 |
| composer/typo3/cms | >=4.6.0<4.6.12 | 4.6.12 |
| composer/typo3/cms | >=4.5.0<4.5.19 | 4.5.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://osvdb.org/84773
- http://secunia.com/advisories/50287
- http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/
- http://www.debian.org/security/2012/dsa-2537
- http://www.openwall.com/lists/oss-security/2012/08/22/8
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77791
- https://nvd.nist.gov/vuln/detail/CVE-2012-3527
- https://web.archive.org/web/20120817233148/http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004
- https://github.com/advisories/GHSA-m4hw-r893-xh4g (Advisory)
Frequently Asked Questions
What is the severity of CVE-2012-3527?
CVE-2012-3527 is classified as a high severity vulnerability due to its potential to allow remote authenticated users to execute arbitrary PHP code.
How do I fix CVE-2012-3527?
To fix CVE-2012-3527, you should upgrade TYPO3 to a version later than 4.5.19, 4.6.12, or 4.7.4.
What versions are affected by CVE-2012-3527?
CVE-2012-3527 affects TYPO3 versions 4.5.0 to 4.5.18, 4.6.0 up to 4.6.11, and 4.7.0 to 4.7.3.
Can CVE-2012-3527 be exploited by unprivileged users?
No, CVE-2012-3527 requires remote authenticated backend users to exploit the vulnerability.
What type of vulnerability is CVE-2012-3527?
CVE-2012-3527 is an unserialization vulnerability that may lead to remote code execution.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m4hw-r893-xh4g
- alias/CVE-2012-3527
- agent/last-modified-date
- agent/references
- agent/source
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- agent/tags
- collector/github-advisory
- vendor/typo3
- canonical/typo3
- version/typo3/4.5
- version/typo3/4.5.0
- version/typo3/4.5.1
- version/typo3/4.5.2
- version/typo3/4.5.3
- version/typo3/4.5.4
- version/typo3/4.5.5
- version/typo3/4.5.6
- version/typo3/4.5.7
- version/typo3/4.5.8
- version/typo3/4.5.9
- version/typo3/4.5.10
- version/typo3/4.5.11
- version/typo3/4.5.12
- version/typo3/4.5.13
- version/typo3/4.5.14
- version/typo3/4.5.15
- version/typo3/4.5.16
- version/typo3/4.5.17
- version/typo3/4.5.18
- version/typo3/4.6
- version/typo3/4.6.0
- version/typo3/4.6.1
- version/typo3/4.6.2
- version/typo3/4.6.3
- version/typo3/4.6.4
- version/typo3/4.6.5
- version/typo3/4.6.6
- version/typo3/4.6.7
- version/typo3/4.6.8
- version/typo3/4.6.9
- version/typo3/4.6.10
- version/typo3/4.6.11
- version/typo3/4.7
- version/typo3/4.7.0
- version/typo3/4.7.1
- version/typo3/4.7.2
- version/typo3/4.7.3
- vendor/debian
- canonical/debian linux
- version/debian linux/6.0
- version/debian linux/7.0
- package-manager/composer