CVE-2021-31777: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.
References
- packetstormsecurity.com/files/162429/TYPO3-6.2.1-SQL-Injection.html
- bitbucket.org/ArminVieweg/dce/commits/998a2392f69f2153797c5ace6e8914ca309e70c7
- excellium-services.com/cert-xlm-advisory/
- github.com/advisories/GHSA-5v5h-4w2g-gxxc
- nvd.nist.gov/vuln/detail/CVE-2021-31777
- packagist.org/packages/t3/dce
- typo3.org/security/advisory/typo3-ext-sa-2021-005
Detect and mitigate CVE-2021-31777 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →