VDB
EN
CRITICAL

GHSA-8x3j-439w-537c

TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)

상세

The TYPO3 "Content Element Selector" (ceselector) extension passes an attacker-controlled cookie directly to PHP's `unserialize()` without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with `Persistent Mode: Static` in the plugin settings. This has been patched in version 3.0.3, 4.0.2, 5.0.1, and 6.0.1.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / mmc/ceselector
최초 영향 버전: 6.0.0 수정 버전: 6.0.1
수정 composer require mmc/ceselector:^6.0.1
Packagist / mmc/ceselector
최초 영향 버전: 5.0.0 수정 버전: 5.0.1
수정 composer require mmc/ceselector:^5.0.1
Packagist / mmc/ceselector
최초 영향 버전: 4.0.0 수정 버전: 4.0.2
수정 composer require mmc/ceselector:^4.0.2
Packagist / mmc/ceselector
최초 영향 버전: 0 수정 버전: 3.0.3
수정 composer require mmc/ceselector:^3.0.3

참고