Name of the Vulnerable Software and Affected Versions: TYPO3 (affected versions not specified)

Description: The issue concerns insecure deserialization when executing Phar archives. This vulnerability can be exploited when untrusted data is used, allowing abuse of the application's logic. A new interceptor, PharStreamWrapper, was introduced to protect against possible vulnerabilities in 3rd party components. However, it was found that exception and error handlers in custom applications sometimes didn't return to the original operating sequence, leaving the native PHP Phar handling active and vulnerable. Examples show how the handling can be bypassed in custom application code, such as when exception thrown from code organized in a Phar archive or errors converted to exceptions and thrown when interacting with archive contents.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.