CVE-2019-19850

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-19850
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19850.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-19850
Aliases
Published
2019-12-17T17:15:18Z
Modified
2024-06-06T12:43:01.545274Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.

References

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type
GIT
Repo
https://github.com/typo3/typo3
Events
Type
GIT
Repo
https://github.com/typo3/typo3.cms
Events

Affected versions

8.*

8.0.0
8.1.0
8.2.0
8.3.0
8.4.0
8.5.0
8.6.0
8.7.0
8.7.1
8.7.10
8.7.11
8.7.12
8.7.13
8.7.14
8.7.15
8.7.16
8.7.17
8.7.18
8.7.19
8.7.2
8.7.20
8.7.21
8.7.22
8.7.23
8.7.24
8.7.25
8.7.26
8.7.27
8.7.28
8.7.29
8.7.4
8.7.5
8.7.6
8.7.7
8.7.8
8.7.9

Other

TYPO3_8-0-0
TYPO3_8-1-0
TYPO3_8-2-0
TYPO3_8-3-0
TYPO3_8-4-0
TYPO3_8-5-0
TYPO3_8-6-0
TYPO3_8-7-0
TYPO3_8-7-1
TYPO3_8-7-10
TYPO3_8-7-11
TYPO3_8-7-12
TYPO3_8-7-13
TYPO3_8-7-14
TYPO3_8-7-15
TYPO3_8-7-16
TYPO3_8-7-17
TYPO3_8-7-18
TYPO3_8-7-19
TYPO3_8-7-2
TYPO3_8-7-20
TYPO3_8-7-21
TYPO3_8-7-22
TYPO3_8-7-23
TYPO3_8-7-24
TYPO3_8-7-25
TYPO3_8-7-26
TYPO3_8-7-27
TYPO3_8-7-28
TYPO3_8-7-29
TYPO3_8-7-4
TYPO3_8-7-5
TYPO3_8-7-6
TYPO3_8-7-7
TYPO3_8-7-8
TYPO3_8-7-9

v10.*

v10.0.0
v10.1.0
v10.2.0
v10.2.1

v8.*

v8.7.10
v8.7.11
v8.7.12
v8.7.13
v8.7.14
v8.7.15
v8.7.16
v8.7.17
v8.7.18
v8.7.19
v8.7.20
v8.7.21
v8.7.22
v8.7.23
v8.7.24
v8.7.25
v8.7.26
v8.7.27
v8.7.28
v8.7.29
v8.7.4
v8.7.5
v8.7.6
v8.7.7
v8.7.8
v8.7.9