Improperly Controlled Modification of Dynamically-Determined Object Attributes in TYPO3 CMS
Description
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the web site (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects. This has been fixed in 9.5.17 and 10.4.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure deserialization in TYPO3 CMS allows arbitrary directory deletion and email relay, affecting versions 9.0.0-9.5.16 and 10.0.0-10.4.1.
Vulnerability
Overview
CVE-2020-11066 is an insecure deserialization vulnerability in TYPO3 CMS that occurs when calling unserialize() on malicious user-submitted content. The vulnerability resides in the core component (ext:core) and affects TYPO3 versions 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1 [1][4]. The root cause involves class destructors that, when triggered during deserialization, can modify dynamically-determined object attributes, leading to unintended side effects [4].
Exploitation
Conditions
Exploitation requires an additional insecure deserialization vulnerability to be present to actually trigger the described impacts [1][4]. The attack vector involves network access with high complexity, and no authentication is required according to the CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H) [4]. An attacker must be able to submit serialized data to a vulnerable TYPO3 instance, typically through user input fields or parameters that are deserialized without proper validation.
Impact
Successful exploitation can result in deletion of an arbitrary directory in the file system, provided it is writable by the web server [1][4]. Additionally, the vulnerability can be leveraged to trigger message submission via email using the identity of the web site, effectively turning the server into a mail relay [1][4]. The integrity and availability impacts are rated high, while confidentiality remains unaffected [4].
Mitigation
The vulnerability has been fixed in TYPO3 versions 9.5.17 and 10.4.2 [1][4]. Administrators are strongly advised to update their installations to these patched versions or later. No workarounds are mentioned in the official advisory. The issue was reported and fixed by TYPO3 security team member Oliver Hader [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-corePackagist | >= 9.0.0, < 9.5.17 | 9.5.17 |
typo3/cms-corePackagist | >= 10.0.0, < 10.4.2 | 10.4.2 |
typo3/cmsPackagist | >= 10.0.0, < 10.4.2 | 10.4.2 |
typo3/cmsPackagist | >= 9.0.0, < 9.5.17 | 9.5.17 |
Affected products
4- osv-coords3 versions
>= 9.0.0, < 9.5.17+ 2 more
- (no CPE)range: >= 9.0.0, < 9.5.17
- (no CPE)range: >= 10.0.0, < 10.4.2
- (no CPE)range: >= 9.0.0, < 9.5.17
- TYPO3/TYPO3 CMSv5Range: >= 9.0.0, < 9.5.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-2rxh-h6h9-qrqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11066ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-11066.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-11066.yamlghsaWEB
- github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2rxh-h6h9-qrqcghsax_refsource_CONFIRMWEB
- typo3.org/security/advisory/typo3-core-sa-2020-004ghsaWEB
News mentions
0No linked articles in our index yet.