Headline
GHSA-9895-53fc-98v2: TYPO3 SQL Injection in dbal
A flaw in the database escaping API results in a SQL injection vulnerability when extension dbal is enabled and configured for MySQL passthrough mode in its extension configuration. All queries which use the DatabaseConnection::sql_query are vulnerable, even if arguments were properly escaped with DatabaseConnection::quoteStr beforehand.
TYPO3 SQL Injection in dbal
High severity GitHub Reviewed Published Jun 3, 2024 to the GitHub Advisory Database • Updated Jun 3, 2024