CVE-2020-11066

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions 9.0.0 through 9.5.16 TYPO3 CMS versions 10.0.0 through 10.4.1

Description The issue arises when unserialize() is called on malicious user-submitted content, potentially leading to the modification of dynamically-determined object attributes. This can result in the deletion of an arbitrary directory in the file system if it is writable for the web server, or trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit these aspects.

Recommendations For TYPO3 CMS versions 9.0.0 through 9.5.16, update to version 9.5.17. For TYPO3 CMS versions 10.0.0 through 10.4.1, update to version 10.4.2.