CVE-2010-5104 — Sensitive Information Exposure in Cms-core

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.8%

top 26.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Cms-core Typo3

Timeline

PublishedMay 21

Latest updateMay 17

Description

The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶Packagisttypo3/cms-core4.2.0 — 4.2.16+2

▶NVDtypo3/typo329 versions+28

🔴Vulnerability Details

GHSA

TYPO3 Sensitive Information Disclosure via escapeStrForLike method↗2022-05-17

▶

OSV

TYPO3 Sensitive Information Disclosure via escapeStrForLike method↗2022-05-17

▶

CVEList

CVE-2010-5104: The escapeStrForLike method in TYPO3 4↗2012-05-21

▶