Filtered by vendor Typo3 Subscriptions
Filtered by product Pharstreamwrapper Subscriptions
Total 2 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-11831 5 Debian, Drupal, Fedoraproject and 2 more 5 Debian Linux, Drupal, Fedora and 2 more 2024-11-21 9.8 Critical
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
CVE-2019-11830 1 Typo3 1 Pharstreamwrapper 2024-11-21 N/A
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.