Description

The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.

Remediation

References

CVE-2010-5104

Related Vulnerabilities

Python Unchecked Return Value Vulnerability (CVE-2021-4189)

XOOPS Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2008-0613)

WordPress Plugin Contact Form by WD-responsive drag & drop contact form builder tool SQL Injection (1.7.30)

Envoy Proxy CVE-2023-27488 Vulnerability (CVE-2023-27488)

Joomla Improper Access Control Vulnerability (CVE-2015-7899)

Severity

Medium

Classification

CVE-2010-5104 CWE-200

Tags

Missing Update Known Vulnerabilities