An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.
{
"cpe": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.7.30"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.12"
},
{
"introduced": "10.0.0"
},
{
"fixed": "10.2.2"
}
],
"source": "CPE_RANGE"
}