The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.
2012-05-21T20:55:17.617
2025-04-11T00:51:21.963
Deferred
CVSSv2: 4.3 (MEDIUM)
AV:N/AC:M/Au:N/C:P/I:N/A:N
8.6
2.9
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | typo3 | typo3 | 4.2.0 | Yes |
Application | typo3 | typo3 | 4.2.1 | Yes |
Application | typo3 | typo3 | 4.2.2 | Yes |
Application | typo3 | typo3 | 4.2.3 | Yes |
Application | typo3 | typo3 | 4.2.4 | Yes |
Application | typo3 | typo3 | 4.2.5 | Yes |
Application | typo3 | typo3 | 4.2.6 | Yes |
Application | typo3 | typo3 | 4.2.7 | Yes |
Application | typo3 | typo3 | 4.2.8 | Yes |
Application | typo3 | typo3 | 4.2.9 | Yes |
Application | typo3 | typo3 | 4.2.10 | Yes |
Application | typo3 | typo3 | 4.2.11 | Yes |
Application | typo3 | typo3 | 4.2.12 | Yes |
Application | typo3 | typo3 | 4.2.13 | Yes |
Application | typo3 | typo3 | 4.2.14 | Yes |
Application | typo3 | typo3 | 4.2.15 | Yes |
Application | typo3 | typo3 | 4.3.0 | Yes |
Application | typo3 | typo3 | 4.3.1 | Yes |
Application | typo3 | typo3 | 4.3.2 | Yes |
Application | typo3 | typo3 | 4.3.3 | Yes |
Application | typo3 | typo3 | 4.3.4 | Yes |
Application | typo3 | typo3 | 4.3.5 | Yes |
Application | typo3 | typo3 | 4.3.6 | Yes |
Application | typo3 | typo3 | 4.3.7 | Yes |
Application | typo3 | typo3 | 4.3.8 | Yes |
Application | typo3 | typo3 | 4.4.1 | Yes |
Application | typo3 | typo3 | 4.4.2 | Yes |
Application | typo3 | typo3 | 4.4.3 | Yes |
Application | typo3 | typo3 | 4.4.4 | Yes |