CVE-2012-1605: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

May 17, 2022 (updated August 29, 2023)

The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to “a missing signature (HMAC) for a request argument.”

References

typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
www.openwall.com/lists/oss-security/2012/03/30/4
github.com/advisories/GHSA-7jfm-px59-99w8
nvd.nist.gov/vuln/detail/CVE-2012-1605
web.archive.org/web/20120527123559/http://www.securityfocus.com/bid/52771

Code Behaviors & Features

Detect and mitigate CVE-2012-1605 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →