terminal42/contao-tablelookupwizard possible SQL injection in widget field value · GHSA-7fpj-wc8v-9cgc · GitHub Advisory Database · GitHub

terminal42/contao-tablelookupwizard possible SQL injection in widget field value

Critical severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

Package

terminal42/contao-tablelookupwizard (Composer)

Affected versions

>= 1.0.0, < 3.3.5

Patched versions

3.3.5

Description

Impact

The currently selected widget values were not correctly sanitized before passing it to the database, leading to an SQL injection possibility.

Patches

The issue has been patched in tablelookupwizard version 3.3.5 and version 4.0.0.

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/terminal42/contao-tablelookupwizard
Email us at [email protected]

References

Published to the GitHub Advisory Database May 30, 2024

Reviewed May 30, 2024

Last updated May 30, 2024

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H