Abstract Advisory Information
A field of the administration panel is prone to SQL injection due to the lack of input sanitation on a
specific part of the SQL query, allowing an attacker with administrator access to dump the entire
database of the application.
Authors: Alexis Pain
Version affected
Name: TYPO3 CMS
Versions: 10.4.13
Common Vulnerability Scoring System
4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Patches
Updated versions 2.6.2 and 2.7.1 are available from the TYPO3 extension manager
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31777
https://typo3.org/security/advisory/typo3-ext-sa-2021-005
Vulnerability Disclosure Timeline
- 01/04/2021: Vulnerability discovery
- 01/04/2021: Vulnerability Report to CERT-XLM
- 06/04/2021: Vulnerability Report to TYPO3
- 20/04/2021: TYPO3 acknowledgment
- 20/04/2021: Request CVE ID to Mitre by TYPO3
- 27/04/2021: Vulnerability fixed
- 28/04/2021: Public Vulnerability Disclosure