CVE-2012-6144

Description

SQL injection vulnerability in the Backend History module in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 Due to missing encoding of user input, the history module is susceptible to SQL Injection and Cross-Site Scripting. A valid backend login is required to exploit this vulnerability.

How to fix CVE-2012-6144

To remediate CVE-2012-6144, upgrade the affected package to a fixed version below.

• Debian/typo3-src—upgrade to 4.3.9+dfsg1-1+squeeze7 or later
• Packagist/typo3/cms—upgrade to 4.5.21 or later

Is CVE-2012-6144 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4.3.9+dfsg1-1+squeeze7
• >= 4.5.0, < 4.5.21

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6144
• WEBexchange.xforce.ibmcloud.com/vulnerabilities/79964
• WEBtypo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005
• WEBwww.openwall.com/lists/oss-security/2013/06/19/4