Vulnerabilities > Typo3 > Pharstreamwrapper > 2.1.0

DATE CVE VULNERABILITY TITLE RISK
2019-05-09 CVE-2019-11831 Deserialization of Untrusted Data vulnerability in multiple products
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
network
low complexity
typo3 debian fedoraproject drupal joomla CWE-502
critical
 9.8
9.8
2019-05-09 CVE-2019-11830 Deserialization of Untrusted Data vulnerability in Typo3 Pharstreamwrapper
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.
network
low complexity
typo3 CWE-502
critical
 9.8
9.8