Bug 881281 (CVE-2014-3942) - VUL-0: CVE-2014-3942: typo3-cms-4_5, typo3-cms-4_7: Color Picker Wizard component RCE
Summary: VUL-0: CVE-2014-3942: typo3-cms-4_5, typo3-cms-4_7: Color Picker Wizard compo...
Status: RESOLVED FIXED
Alias: CVE-2014-3942
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Forgotten User mJouVTf9j4
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/99272/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-04 10:54 UTC by Johannes Segitz
Modified: 2015-02-19 02:17 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-06-04 10:54:41 UTC 
The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before
4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated
editors to execute arbitrary PHP code via a serialized PHP object.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3942
http://www.cvedetails.com/cve/CVE-2014-3942/
Comment 1 Swamp Workflow Management 2014-06-04 22:00:23 UTC 
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2014-06-09 18:00:18 UTC 
This is an autogenerated message for OBS integration:
This bug (881281) was mentioned in
https://build.opensuse.org/request/show/236669 12.3 / typo3-cms-4_5
https://build.opensuse.org/request/show/236680 13.1 / typo3-cms-4_5
Comment 3 Forgotten User mJouVTf9j4 2014-06-09 19:21:35 UTC 
Fixed with maintenance requests:
- mr#236669
- mr#236680
- mr#236688
- mr#236689
Comment 4 Bernhard Wiedemann 2014-06-09 20:00:22 UTC 
This is an autogenerated message for OBS integration:
This bug (881281) was mentioned in
https://build.opensuse.org/request/show/236688 13.1 / typo3-cms-4_7+typo3-cms-4_5
https://build.opensuse.org/request/show/236689 12.3 / typo3-cms-4_7+typo3-cms-4_5
Comment 5 Swamp Workflow Management 2014-06-18 10:04:36 UTC 
openSUSE-SU-2014:0813-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 881280,881281,881282
CVE References: CVE-2014-3941,CVE-2014-3942,CVE-2014-3943
Sources used:
openSUSE 13.1 (src):    typo3-cms-4_5-4.5.34-2.4.1
openSUSE 12.3 (src):    typo3-cms-4_5-4.5.34-2.8.1