GHSA-7h74-7vcw-4mwp: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-7h74-7vcw-4mwp) is an Insecure Deserialization issue discovered in FLOW3, affecting versions 1.0.0 to 1.0.4. The vulnerability was disclosed on March 28, 2012, and was identified by TYPO3 Security Team Member Helmut Hummel. The issue has been classified as Low severity with a CVSS score of 3.7 (GitHub Advisory, Neos Blog).

The vulnerability stems from a missing signature (HMAC) for a request argument, which could allow an attacker to unserialize arbitrary objects within FLOW3. The vulnerability has been assigned a CVSS v3.1 base score of 3.7, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, high attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

According to the security advisory, while the vulnerability allows for unserialization of arbitrary objects, there are no known exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications that could be affected (Neos Blog).

The vulnerability has been patched in FLOW3 version 1.0.4. Users are advised to update to this version or later to address the security issue. The same problem was also identified in the Extbase Framework in TYPO3, and users should refer to the advisory TYPO3-CORE-SA-2012-001 for additional information (Neos Blog).