Z3Rco

**Name of the Vulnerable Software and Affected Versions** TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 **Description** The cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialize PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend, such as the file system or the `sys registry` database table, can inject a crafted serialized payload to trigger PHP Object Injection. This may allow the exploitation of a gadget chain to achieve Remote Code Execution. **Recommendations** Update to version 10.4.57 or later. Update to version 11.5.52 or later. Update to version 12.4.47 or later. Update to version 13.4.32 or later. Update to version 14.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.4.8 **Description** Concrete CMS versions prior to 9.4.8 are susceptible to Cross-Site Request Forgery (CSRF) attacks initiated by a malicious administrator. The issue stems from the Anti-Spam Allowlist Group Configuration, specifically through manipulation of the `group id` parameter. This allows a security bypass, as changes are saved without proper CSRF token verification. **Recommendations** Update Concrete CMS to version 9.4.8 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 4.17.0-beta.1 and versions prior to 5.9.0-beta.1 **Description** Craft is a content management system (CMS) that contains a flaw in the GraphQL directive `@parseRefs`. This directive, designed to parse internal reference tags, can be exploited by both authenticated users and unauthenticated guests (when a Public Schema is enabled) to access sensitive attributes of any element within the CMS. The `Elements::parseRefs` implementation lacks authorization checks, allowing attackers to read data they are not permitted to view. The vulnerability allows access to sensitive attributes through reference tags like `{user:1:email}`. Attack vectors include privilege escalation, user data leakage, arbitrary property reflection, server-side logic execution, and IDOR on private entries and assets. The `@parseRefs` directive is active in the Public Schema, enabling unauthenticated exploitation. Exploitation can occur through API endpoints, such as the GraphQL API endpoint `/index.php?action=graphql/api`, using payloads in queries. The vulnerable function is `Elements::parseRefs`. The vulnerability can lead to critical information disclosure, system information leakage, and potential authentication bypass. **Recommendations** Versions prior to 4.17.0-beta.1: Modify `Elements::parseRefs` to enforce `canView` permissions on the resolved element before extracting attributes. Versions prior to 5.9.0-beta.1: Modify `Elements::parseRefs` to enforce `canView` permissions on the resolved element before extracting attributes.