In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

The version of TYPO3 installed on the remote host is 9.4 prior to 9.5.8. It is, therefore, affected by an insecure deserialization vulnerability in its symfony/cache bundled, third-party component. An authenticated, remote attacker could exploit this, by sending a specially crafted object to an affected host, to delete arbitrary files on the file system.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version

TYPO3 news :

Please read the corresponding Security Advisories for details.

Multiple vulnerabilities were discovered in the Symfony PHP framework which could lead to cache bypass, authentication bypass, information disclosure, open redirect, cross-site request forgery, deletion of arbitrary files, or arbitrary code execution.

**Version 4.2.7** (2019-04-17)

  - bug #31107 [Routing] fix trailing slash redirection with     non-greedy trailing vars (nicolas-grekas)

  - bug #31108 [FrameworkBundle] decorate the     ValidatorBuilder's translator with LegacyTranslatorProxy     (nicolas-grekas)

  - bug #31121 [HttpKernel] Fix get session when the request     stack is empty (yceruto)

  - bug #31084 [HttpFoundation] Make     MimeTypeExtensionGuesser case insensitive     (vermeirentony)

  - bug #31142 Revert 'bug #30423 [Security] Rework     firewall's access denied rule (dimabory)' (chalasr)

  - security #cve-2019-10910 [DI] Check service IDs are     valid (nicolas-grekas)

  - security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS     issues in the form theme of the PHP templating engine     (stof)

  - security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent     destructors with side-effects from being unserialized     (nicolas-grekas)

  - security #cve-2019-10911 [Security] Add a separator in     the remember me cookie hash (pborreli)

  - security #cve-2019-10913 [HttpFoundation] reject invalid     method override (nicolas-grekas)

----

**Version 4.2.6** (2019-04-16)

  - bug #31088 [DI] fix removing non-shared definition while     inlining them (nicolas-grekas)

  - bug #29944 [DI] Overriding services autowired by name     under _defaults bind not working (przemyslaw-bogusz,     renanbr)

  - bug #30993 [FrameworkBundle] Fix for Controller     DEPRECATED when using composer --optimized (aweelex)

  - bug #31076 [HttpKernel] Fixed LoggerDataCollector     crashing on empty file (althaus)

  - bug #31071 property normalizer should also pass format     and context to isAllowedAttribute (dbu)

  - bug #31059 Show more accurate message in profiler when     missing stopwatch (linaori)

  - bug #31026 [Serializer] Add default object class     resolver (jdecool)

  - bug #31031 [Serializer] MetadataAwareNameConverter: Do     not assume that property names are strings (soyuka)

  - bug #31043 [VarExporter] support PHP7.4 __serialize &
    __unserialize (nicolas-grekas)

  - bug #30423 [Security] Rework firewall's access denied     rule (dimabory)

  - bug #31020 [VarExporter] fix exporting classes with     private constructors (nicolas-grekas)

  - bug #31012 [Process] Fix missing $extraDirs when     open_basedir returns (arsonik)

  - bug #30852 [Console] fix buildTableRows when Colspan is     use with content too long (Raulnet)

  - bug #30950 [Serializer] Also validate callbacks when     given in the normalizer context (dbu)

  - bug #30907 [Serializer] Respect ignored attributes in     cache key of normalizer (dbu)

  - bug #30085 Fix TestRunner compatibility to PhpUnit 8     (alexander-schranz)

  - bug #30999 Fix dark themed componnents (ro0NL)

  - bug #30977 [serializer] prevent mixup in normalizer of     the object to populate (dbu)

  - bug #30976 [Debug] Fixed error handling when an error is     already handled when another error is already handled     (5) (lyrixx)

  - bug #30979 Fix the configurability of CoreExtension deps     in standalone usage (stof)

  - bug #30918 [Cache] fix using ProxyAdapter inside     TagAwareAdapter (dmaicher)

  - bug #30961 [Form] fix translating file validation error     message (xabbuh)

  - bug #30951 Handle case where no translations were found     (greg0ire)

  - bug #29800 [Validator] Only traverse arrays that are     cascaded into (corphi)

  - bug #30921 [Translator] Warm up the translations cache     in dev (tgalopin)

  - bug #30922 [TwigBridge] fix horizontal spacing of     inlined Bootstrap forms (xabbuh)

  - bug #30860 [Profiler] Fix dark theme elements color     (dFayet)

  - bug #30895 [Form] turn failed file uploads into form     errors (xabbuh)

  - bug #30919 [Translator] Fix wrong dump for PO files     (deguif)

  - bug #30889 [DependencyInjection] Fix a wrong error when     using a factory (Simperfit)

  - bug #30911 [Console] Fix table trailing backslash     (maidmaid)

  - bug #30903 [Messenger] Uses the `SerializerStamp` when     deserializing the envelope (sroze)

  - bug #30879 [Form] Php doc fixes and cs + optimizations     (Jules Pietri)

  - bug #30883 [Console] Fix stty not reset when aborting in     QuestionHelper::autocomplete() (Simperfit)

  - bug #30878 [Console] Fix inconsistent result for choice     questions in non-interactive mode (chalasr)

  - bug #30825 [Routing] Fix: annotation loader ignores     method's default values (voronkovich)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 3.4.26** (2019-04-17)

  - bug #31084 [HttpFoundation] Make     MimeTypeExtensionGuesser case insensitive     (vermeirentony)

  - bug #31142 Revert 'bug #30423 [Security] Rework     firewall's access denied rule (dimabory)' (chalasr)

  - security #cve-2019-10910 [DI] Check service IDs are     valid (nicolas-grekas)

  - security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS     issues in the form theme of the PHP templating engine     (stof)

  - security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent     destructors with side-effects from being unserialized     (nicolas-grekas)

  - security #cve-2019-10911 [Security] Add a separator in     the remember me cookie hash (pborreli)

  - security #cve-2019-10913 [HttpFoundation] reject invalid     method override (nicolas-grekas)

----

**Version 3.4.25** (2019-04-16)

  - bug #29944 [DI] Overriding services autowired by name     under _defaults bind not working (przemyslaw-bogusz,     renanbr)

  - bug #31076 [HttpKernel] Fixed LoggerDataCollector     crashing on empty file (althaus)

  - bug #31071 property normalizer should also pass format     and context to isAllowedAttribute (dbu)

  - bug #31059 Show more accurate message in profiler when     missing stopwatch (linaori)

  - bug #30423 [Security] Rework firewall's access denied     rule (dimabory)

  - bug #31012 [Process] Fix missing $extraDirs when     open_basedir returns (arsonik)

  - bug #30907 [Serializer] Respect ignored attributes in     cache key of normalizer (dbu)

  - bug #30085 Fix TestRunner compatibility to PhpUnit 8     (alexander-schranz)

  - bug #30977 [serializer] prevent mixup in normalizer of     the object to populate (dbu)

  - bug #30976 [Debug] Fixed error handling when an error is     already handled when another error is already handled     (5) (lyrixx)

  - bug #30979 Fix the configurability of CoreExtension deps     in standalone usage (stof)

  - bug #30918 [Cache] fix using ProxyAdapter inside     TagAwareAdapter (dmaicher)

  - bug #30961 [Form] fix translating file validation error     message (xabbuh)

  - bug #30951 Handle case where no translations were found     (greg0ire)

  - bug #29800 [Validator] Only traverse arrays that are     cascaded into (corphi)

  - bug #30921 [Translator] Warm up the translations cache     in dev (tgalopin)

  - bug #30922 [TwigBridge] fix horizontal spacing of     inlined Bootstrap forms (xabbuh)

  - bug #30895 [Form] turn failed file uploads into form     errors (xabbuh)

  - bug #30919 [Translator] Fix wrong dump for PO files     (deguif)

  - bug #30889 [DependencyInjection] Fix a wrong error when     using a factory (Simperfit)

  - bug #30879 [Form] Php doc fixes and cs + optimizations     (Jules Pietri)

  - bug #30883 [Console] Fix stty not reset when aborting in     QuestionHelper::autocomplete() (Simperfit)

  - bug #30878 [Console] Fix inconsistent result for choice     questions in non-interactive mode (chalasr)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 2.8.50** (2019-04-17)

  - security #cve-2019-10910 [DI] Check service IDs are     valid (nicolas-grekas)

  - security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS     issues in the form theme of the PHP templating engine     (stof)

  - security #cve-2019-10912 [PHPUnit Bridge] Prevent     destructors with side-effects from being unserialized     (nicolas-grekas)

  - security #cve-2019-10911 [Security] Add a separator in     the remember me cookie hash (pborreli)

  - security #cve-2019-10913 [HttpFoundation] reject invalid     method override (nicolas-grekas)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 4.1.12** (2019-04-17)

  - security #cve-2019-10910 [DI] Check service IDs are     valid (nicolas-grekas)

  - security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS     issues in the form theme of the PHP templating engine     (stof)

  - security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent     destructors with side-effects from being unserialized     (nicolas-grekas)

  - security #cve-2019-10911 [Security] Add a separator in     the remember me cookie hash (pborreli)

  - security #cve-2019-10913 [HttpFoundation] reject invalid     method override (nicolas-grekas)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
138611	TYPO3 9.4 < 9.5.8 Insecure Deserialization (TYPO3-CORE-SA-2019-016)	Nessus	CGI abuses	high
126365	FreeBSD : TYPO3 -- multiple vulnerabilities (5e35cfba-9994-11e9-b07f-df5abf8b84d6)	Nessus	FreeBSD Local Security Checks	high
124779	Debian DSA-4441-1 : symfony - security update	Nessus	Debian Local Security Checks	critical
124556	Fedora 30 : php-symfony4 (2019-f5d6a7ce74)	Nessus	Fedora Local Security Checks	high
124514	Fedora 30 : php-symfony3 (2019-8635280de5)	Nessus	Fedora Local Security Checks	high
124471	Fedora 30 : php-symfony (2019-0ef4149687)	Nessus	Fedora Local Security Checks	high
124352	Fedora 29 : php-symfony (2019-f8db687840)	Nessus	Fedora Local Security Checks	high
124351	Fedora 29 : php-symfony3 (2019-a3ca65028c)	Nessus	Fedora Local Security Checks	high
124349	Fedora 28 : php-symfony (2019-3ee6a7adf2)	Nessus	Fedora Local Security Checks	high
124348	Fedora 29 : php-symfony4 (2019-32067d8b15)	Nessus	Fedora Local Security Checks	high
124347	Fedora 28 : php-symfony3 (2019-2a7f472198)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2019-10912

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high