terminal42/contao-tablelookupwizard possible SQL injection in widget field value

2024-05-3013:12:13

Google

osv.dev

sql injection

widget field

database

patch

contao

tablelookupwizard

8 High

AI Score

Confidence

High

JSON

Impact

The currently selected widget values were not correctly sanitized before passing it to the database, leading to an SQL injection possibility.

Patches

The issue has been patched in tablelookupwizard version 3.3.5 and version 4.0.0.

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/terminal42/contao-tablelookupwizard
Email us at [email protected]

CPENameOperatorVersion
terminal42/contao-tablelookupwizardeq3.1.3
terminal42/contao-tablelookupwizardeq3.2.0
terminal42/contao-tablelookupwizardeq3.3.2
terminal42/contao-tablelookupwizardeq2.0.1
terminal42/contao-tablelookupwizardeq3.3.4
terminal42/contao-tablelookupwizardeq3.0.0
terminal42/contao-tablelookupwizardeq3.1.1
terminal42/contao-tablelookupwizardeq3.3.0
terminal42/contao-tablelookupwizardeq3.3.1
terminal42/contao-tablelookupwizardeq3.3.3

Name	Operator	Version
terminal42/contao-tablelookupwizard	eq	3.1.3
terminal42/contao-tablelookupwizard	eq	3.2.0
terminal42/contao-tablelookupwizard	eq	3.3.2
terminal42/contao-tablelookupwizard	eq	2.0.1
terminal42/contao-tablelookupwizard	eq	3.3.4
terminal42/contao-tablelookupwizard	eq	3.0.0
terminal42/contao-tablelookupwizard	eq	3.1.1
terminal42/contao-tablelookupwizard	eq	3.3.0
terminal42/contao-tablelookupwizard	eq	3.3.1
terminal42/contao-tablelookupwizard	eq	3.3.3

Rows per page:

1-10 of 131

References

github.com/FriendsOfPHP/security-advisories/blob/master/terminal42/contao-tablelookupwizard/2022-02-04-1.yaml

github.com/terminal42/contao-tablelookupwizard

github.com/terminal42/contao-tablelookupwizard/commit/a5e723a28f110b7df8ffc4175cef9b061d3cc717

github.com/terminal42/contao-tablelookupwizard/security/advisories/GHSA-v3mr-gp7j-pw5w