GHSA-96jg-pmc4-cx39: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-96jg-pmc4-cx39) is an Insecure Deserialization issue discovered in TYPO3 CMS's Form Framework (system extension form). The vulnerability affects TYPO3 CMS versions 8.5.0 to 8.7.16 and 9.0.0 to 9.3.0, and was disclosed on July 12, 2018. The issue specifically occurs when the system is used with the PHP PECL package yaml, which can unserialize YAML contents to PHP objects (TYPO3 Advisory, GitHub Advisory).

The vulnerability is classified as High severity with a CVSS score of 7.5. The attack requires network access with high complexity, low privileges, and no user interaction. The vulnerability specifically affects the Form Framework when used with the PHP PECL package yaml. Exploitation requires a valid backend user account and the PHP setting 'yaml.decode_php' to be enabled, which is the default configuration according to PHP documentation (GitHub Advisory).

The vulnerability has high potential impact on confidentiality, integrity, and availability of the affected systems. The CVSS metrics indicate that successful exploitation could lead to significant data exposure and system compromise, though the attack complexity is considered high (GitHub Advisory).

The vulnerability has been patched in TYPO3 versions 8.7.17 and 9.3.1. As a general security measure, it is recommended to disable the 'yaml.decode_php' setting if the PHP PECL package yaml is installed. Users should update to the patched versions to resolve the vulnerability (TYPO3 Advisory).

The vulnerability was reported by TYPO3 core team member Oliver Hader and fixed by core team member Ralf Zimmermann, demonstrating the project's active security maintenance and response to identified vulnerabilities (TYPO3 Advisory).