GHSA-3h52-6v6j-6wwvHigh
TYPO3 SQL Injection in extension "Address List" (tt_address)
🔗 CVE IDs covered (1)
📋 Description
In the TYPO3 extension tt_address, the AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection. This has been patched in version 8.1.2, 9.1.1, and 10.0.1.
🎯 Affected products3
- composer/friendsoftypo3/tt-address:>= 10.0.0, < 10.0.1
- composer/friendsoftypo3/tt-address:>= 9.0.0, < 9.1.1
- composer/friendsoftypo3/tt-address:< 8.1.2