HIGH
GHSA-3h52-6v6j-6wwv
TYPO3 SQL Injection in extension "Address List" (tt_address)
Details
In the TYPO3 extension `tt_address`, the `AddressRepository::getSqlQuery()` method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection. This has been patched in version 8.1.2, 9.1.1, and 10.0.1.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / friendsoftypo3/tt-address
Introduced in:
10.0.0 Fixed in: 10.0.1 Fix
composer require friendsoftypo3/tt-address:^10.0.1 Packagist / friendsoftypo3/tt-address
Introduced in:
9.0.0 Fixed in: 9.1.1 Fix
composer require friendsoftypo3/tt-address:^9.1.1 Packagist / friendsoftypo3/tt-address
Introduced in:
0 Fixed in: 8.1.2 Fix
composer require friendsoftypo3/tt-address:^8.1.2