TYPO3 Site Crawler Extension Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the TYPO3 Site Crawler extension, versions 12.0.0 through 12.0.10 and 11.0.12 and below. The vulnerability arises because the extension directly passes the X-T3Crawler-Meta response header from crawled URLs to PHP's unserialize() function. This allows an attacker controlling a crawled endpoint to inject arbitrary serialized PHP objects, potentially leading to remote code execution on the TYPO3 server. Exploitation requires administrative privileges to set up a crawler-enabled page and initiate the crawl via a Scheduler task, but non-super-admin administrators could exploit this to escalate privileges.

Impact

Exploitation of this vulnerability allows for remote code execution on the TYPO3 server.

Remediation

Users are advised to update the Site Crawler extension to version 12.0.11 or 11.0.13, available through the TYPO3 extension manager, Packagist, or by downloading the ZIP files from the TYPO3 extensions website.