HIGH
GHSA-g868-j3qm-4j28
georgringer/news has SQL Injection in extension "News system" (news)
Details
The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / georgringer/news
Introduced in:
12.0.0 Fixed in: 12.3.2 Fix
composer require georgringer/news:^12.3.2 Packagist / georgringer/news
Introduced in:
13.0.0 Fixed in: 13.0.2 Fix
composer require georgringer/news:^13.0.2 Packagist / georgringer/news
Introduced in:
14.0.0 Fixed in: 14.0.3 Fix
composer require georgringer/news:^14.0.3 Packagist / georgringer/news
Introduced in:
0 Fixed in: 10.0.4 Fix
composer require georgringer/news:^10.0.4 Packagist / georgringer/news
Introduced in:
11.0.0 Fixed in: 11.4.4 Fix
composer require georgringer/news:^11.4.4