|
Description
|
|
(:A blind SQL injection vulnerability was reported in the News plugin for TYPO3.:An authenticated remote attacker could exploit it by sending specially crafted HTTP POST requests in order to access data stored into the database like username and associated password (stored in "be_users" table).::This vulnerability, located in several parameters of "NewsController.php" script page, stems from an improper user-input validation and an improper blacklist for input passed to "OrderByAllowed" parameter.::A proof of concept is available.)
|
