TYPO3 CMS Mailer File Spool Insecure Deserialization Vulnerability Allowing Arbitrary Code Execution

A vulnerability in TYPO3 CMS's mailer file spool component allows local users with write access to the spool directory to create malicious files. These files are deserialized during the mailer:spool:send command, leading to arbitrary PHP code execution on the web server. This vulnerability affects TYPO3 CMS versions 10.0.0 prior to 10.4.54, 11.0.0 prior to 11.5.48, 12.0.0 prior to 12.4.40, 13.0.0 prior to 13.4.22, and 14.0.0 through 14.0.1.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the web server.

Reproduction

The vulnerability can be reproduced by crafting a file with a malicious payload and placing it in the TYPO3 mail file spool directory. When the mailer:spool:send command is executed, the file is deserialized, and the injected PHP code is executed on the server.

Remediation

Users can update to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, or 14.0.2, all of which address this vulnerability.