Description
The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.
References (9)
Core 9
Core References
Vendor Advisory x_refsource_confirm
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-sa-2010-022/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/45470
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/35770
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/05/12/5
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/01/13/2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/70116
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/05/11/3
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/64185
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/05/10/7
Scores
EPSS
0.0076
EPSS Percentile
73.7%
Details
CWE
CWE-200
Status
published
Products (30)
typo3/cms-core
4.2.0 - 4.2.16Packagist
typo3/typo3
4.2.0
typo3/typo3
4.2.1
typo3/typo3
4.2.2
typo3/typo3
4.2.3
typo3/typo3
4.2.4
typo3/typo3
4.2.5
typo3/typo3
4.2.6
typo3/typo3
4.2.7
typo3/typo3
4.2.8
... and 20 more
Published
May 21, 2012
Tracked Since
Feb 18, 2026