CVE-2011-3583 — Typo3 SQL injection due to faulty prepared statements

Description

It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input.

How to fix CVE-2011-3583

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2011-3583 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.5.0, <= 4.5.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-3583
PATCHgithub.com/TYPO3/typo3
WEBaccess.redhat.com/security/cve/cve-2011-3583
WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=641682
WEB