CVE-2012-6144 — Typo3 Backend History Module Vulnerable to SQL Injection

Description

SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability.

How to fix CVE-2012-6144

To remediate CVE-2012-6144, upgrade the affected package to a fixed version below.

Debian/typo3-src—upgrade to 4.3.9+dfsg1-1+squeeze7 or later
Packagist/typo3/cms—upgrade to 4.5.21 or later

Is CVE-2012-6144 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.3.9+dfsg1-1+squeeze7
>= 4.5.0, < 4.5.21

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6144
WEBexchange.xforce.ibmcloud.com/vulnerabilities/79964
WEBtypo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005
WEBwww.openwall.com/lists/oss-security/2013/06/19/4