CVE-2010-5104 – typo3/cms-core

Package

Manager: composer
Name: typo3/cms-core
Vulnerable Version: >=4.2.0 <4.2.16 || >=4.3.0 <4.3.9 || >=4.4.0 <4.4.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00765 pctl0.72532

Details

TYPO3 Sensitive Information Disclosure via escapeStrForLike method The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.

Metadata

Created: 2022-05-17T01:55:53Z
Modified: 2024-02-07T23:31:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xgc2-q928-27wv/GHSA-xgc2-q928-27wv.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-xgc2-q928-27wv
Finding: F038
Auto approve: 1