CVE-2010-5104

Exposure of Sensitive Information to an Unauthorized Actor in packagist/typo3/cms-core

Identifiers

GHSA-xgc2-q928-27wv, CVE-2010-5104

Package Slug

packagist/typo3/cms-core

Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor

Description

The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sqlmode NOBACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.

Affected Versions

All versions starting from 4.2.0 before 4.2.16, all versions starting from 4.3.0 before 4.3.9, all versions starting from 4.4.0 before 4.4.5

Solution

Upgrade to versions 4.2.16, 4.3.9, 4.4.5 or above.

Last Modified

2024-02-09

source