TYPO3 Sensitive Information Disclosure via escapeStrForLike method
Moderate severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Feb 7, 2024
Package
Affected versions
>= 4.2.0, < 4.2.16
>= 4.3.0, < 4.3.9
>= 4.4.0, < 4.4.5
Patched versions
4.2.16
4.3.9
4.4.5
Description
Published by the National Vulnerability Database
May 21, 2012
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Feb 7, 2024
Last updated
Feb 7, 2024
The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.
References