CVE-2014-6290

Vulnerability

The tt_news extension for TYPO3, versions 3.5.1 and below, contains an insecure unserialize vulnerability. The extension fails to properly sanitize user input before passing it to PHP's unserialize() function, enabling object injection. This issue affects all installations using the vulnerable versions of the extension [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted serialized payload to a vulnerable endpoint of the tt_news extension. No user interaction or special network position is required; the attack can be carried out over HTTP. The attacker simply needs to identify a parameter that is unserialized without validation and supply a malicious serialized object [1].

Impact

Successful exploitation allows the attacker to inject arbitrary PHP objects, which can lead to arbitrary code execution, file manipulation, or information disclosure. The CVSS v2.0 score (AV:N/AC:L/Au:N/C:P/I:P/A:C) indicates partial confidentiality and integrity impact with complete availability impact, meaning the attacker could potentially take full control of the affected TYPO3 instance [1].

Mitigation

The vulnerability is fixed in version 3.5.2 of the tt_news extension, released on February 12, 2014. Users should update immediately via the TYPO3 extension manager or by downloading the updated package from the TYPO3 extension repository. No workarounds are documented. The extension is not part of the TYPO3 default installation and is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].