CVE-2017-7581

CRITICAL

TYPO3 News module <5.3.2 - SQL Injection

Title source: llm

Description

SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed.

Exploits (1)

metasploit WORKING POC

by Marco Rivoli, Charles Fol · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/typo3_news_module_sqli.rb

View Code ZIP pw:eip

References (1)

[Exploit, Patch, Technical Description, Third Party Advisory] https://www.ambionics.io/blog/typo3-news-module-sqli

Scores

CVSS v3 9.8

EPSS 0.6451

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

news_system_project/news_system < 5.3.2

Published Apr 07, 2017

Tracked Since Feb 18, 2026