TYPO3 News System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the TYPO3 extension 'News system' (news), specifically in versions 14.0.0 to 14.0.2, 13.0.0 to 13.0.1, 12.0.0 to 12.3.1, and 11.4.3 and below. The vulnerability arises because the extension does not properly sanitize user input before incorporating it into database queries. This flaw allows an unauthenticated attacker to inject arbitrary SQL through a URL parameter on pages that utilize the 'Date Menu of news articles' plugin. Exploitation requires the 'Date Menu of news articles' plugin to be active and the TypoScript/Plugin setting 'disableOverrideDemand' to be disabled.

Impact

Exploitation of this vulnerability allows for arbitrary SQL injection, which could lead to unauthorized data access or manipulation within the database.

Remediation

Users are advised to update to version 14.0.3, 13.0.2, 12.3.2, or 11.4.4. The updated versions are available through the TYPO3 extension manager, Packagist, and from the TYPO3 Extensions Repository.