PT-2019-15982 · Typo3 · Typo3
Dhiraj Shrikant Datar
·
Published
2019-12-17
·
Updated
2022-05-24
·
CVE-2019-19850
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
TYPO3 versions prior to 8.7.30
TYPO3 versions 9.x prior to 9.5.12
TYPO3 versions 10.x prior to 10.2.2
Description
The issue is related to the mishandling of escaping of user-submitted content, making the class QueryGenerator vulnerable to SQL injection. Exploitation of this issue requires the system extension ext:lowlevel to be installed and a valid backend user with administrator privileges.
Recommendations
For versions prior to 8.7.30, update to version 8.7.30 or later.
For versions 9.x prior to 9.5.12, update to version 9.5.12 or later.
For versions 10.x prior to 10.2.2, update to version 10.2.2 or later.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typo3