The PharStreamWrapper (aka phar-stream-wrapper) package 2.x prior to 2.1.1 and 3.x prior to 3.1.1 for TYPO3 does not prevent directory traversal, which allows malicious users to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
typo3 pharstreamwrapper |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
fedoraproject fedora 28 |
||
fedoraproject fedora 29 |
||
fedoraproject fedora 30 |
||
drupal drupal |
||
joomla joomla\\! |