CVE-2019-19850
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.
Se descubrió un problema en TYPO3 versiones anteriores a la versión 8.7.30, versiones 9.x anteriores a la versión 9.5.12 y versiones 10.x anteriores a la versión 10.2.2. Debido a que el escape del contenido enviado por el usuario es manejado inapropiadamente, la clase QueryGenerator es vulnerable a una inyección SQL. Su explotación requiere tener la extensión del sistema ext:lowlevel instalada, y un usuario del backend válido que tenga privilegios de administrador.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-12-17 CVE Reserved
- 2019-12-17 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://review.typo3.org/q/%2522Resolves:+%252389452%2522+topic:security | 2019-12-20 | |
https://typo3.org/security/advisory/typo3-core-sa-2019-025 | 2019-12-20 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Typo3 Search vendor "Typo3" | Typo3 Search vendor "Typo3" for product "Typo3" | >= 8.0.0 < 8.7.30 Search vendor "Typo3" for product "Typo3" and version " >= 8.0.0 < 8.7.30" | - |
Affected
| ||||||
Typo3 Search vendor "Typo3" | Typo3 Search vendor "Typo3" for product "Typo3" | >= 9.0.0 < 9.5.12 Search vendor "Typo3" for product "Typo3" and version " >= 9.0.0 < 9.5.12" | - |
Affected
| ||||||
Typo3 Search vendor "Typo3" | Typo3 Search vendor "Typo3" for product "Typo3" | >= 10.0.0 < 10.2.2 Search vendor "Typo3" for product "Typo3" and version " >= 10.0.0 < 10.2.2" | - |
Affected
|