GHSA-g868-j3qm-4j28High
georgringer/news has SQL Injection in extension "News system" (news)
🔗 CVE IDs covered (1)
📋 Description
The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.
🎯 Affected products5
- composer/georgringer/news:>= 12.0.0, < 12.3.2
- composer/georgringer/news:>= 13.0.0, < 13.0.2
- composer/georgringer/news:>= 14.0.0, < 14.0.3
- composer/georgringer/news:< 10.0.4
- composer/georgringer/news:>= 11.0.0, < 11.4.4