CVE-2020-11066

Description

Calling unserialize() on malicious user-submitted content can result in the following scenarios: - trigger deletion of arbitrary directory in file system (if writable for web server) - trigger message submission via email using identity of web site (mail relay) Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. Update to TYPO3 versions 9.5.17 or 10.4.2 that fix the problem described. ### References * https://typo3.org/security/advisory/typo3-core-sa-2020-004

How to fix CVE-2020-11066

To remediate CVE-2020-11066, upgrade the affected package to a fixed version below.

• —upgrade to 9.5.17 or later
• —upgrade to 10.4.2 or later
• —upgrade to 9.5.17 or later

Is CVE-2020-11066 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 9.0.0, < 9.5.17, >= 10.0.0, < 10.4.2
• >= 10.0.0, < 10.4.2
• >= 9.0.0, < 9.5.17

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11066
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yaml
• WEBgithub.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqc