CVE-2020-11067— Deserialization of Untrusted Data in TYPO3 CMS

CVSS 8.8 · High EPSS 1.18% · P79 Updated Feb 24, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2020-11067

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Deserialization of Untrusted Data in TYPO3 CMS

Source: NVD (National Vulnerability Database)

Vulnerability Description

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability. This has been fixed in 9.5.17 and 10.4.2.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

可信数据的反序列化

Source: NVD (National Vulnerability Database)

Vulnerability Title

TYPO3 Backend User Interface组件代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

TYPO3是瑞士TYPO3（Typo3）协会的一套免费开源的内容管理系统(框架)(CMS/CMF)。 TYPO3 9.0.0版本至9.5.16版本和10.0.0版本至10.4.1版本中的Backend User Interface组件存在代码问题漏洞。远程攻击者可利用该漏洞（及其他漏洞）执行代码。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
TYPO3	TYPO3 CMS	>= 9.0.0, < 9.5.17	-

II. Public POCs for CVE-2020-11067

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2020-11067

请登录查看更多情报信息。

Same Patch Batch · TYPO3 · 2020-05-13 · 6 CVEs total

CVE-2020-11066	8.7 HIGH	Improperly Controlled Modification of Dynamically-Determined Object Attributes in TYPO3 CM
CVE-2020-11069	8.0 HIGH	Cross-Site Request Forgery in TYPO3 CMS
CVE-2020-11065	5.4 MEDIUM	Cross-Site Scripting in TYPO3 CMS
CVE-2020-11064	5.4 MEDIUM	Cross-Site Scripting in TYPO3 CMS
CVE-2020-11063	3.7 LOW	Observable Response Discrepancy in TYPO3 CMS

IV. Related Vulnerabilities

Same product: TYPO3 CMS

Same vendor: TYPO3

Same weakness: CWE-502

V. Comments for CVE-2020-11067

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2020-11067— Deserialization of Untrusted Data in TYPO3 CMS

I. Basic Information for CVE-2020-11067

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2020-11067

III. Intelligence Information for CVE-2020-11067

Same Patch Batch · TYPO3 · 2020-05-13 · 6 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2020-11067

Leave a comment