CVE-2010-3662
Description
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 backend SQL injection vulnerability in record editing forms due to insufficient input escaping, affecting versions before 4.1.14, 4.2.13, 4.3.4, and 4.4.1.
Vulnerability
Description
CVE-2010-3662 is a SQL injection vulnerability in the TYPO3 backend. The root cause is a failure to properly escape user input when constructing database queries in backend record editing forms [1]. This affects TYPO3 versions before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 [2].
Exploitation
Exploitation requires a valid backend login, as the vulnerable functionality is only accessible to authenticated users [1]. An attacker with backend credentials can craft malicious input in record editing forms to inject arbitrary SQL commands. The attack vector is over the network, targeting the TYPO3 backend interface.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries against the TYPO3 database. This could lead to unauthorized reading or modification of sensitive data, including user credentials, content, and configuration settings [1]. The CVSS v2.0 score for this vulnerability is 6.8 (AV:N/AC:L/Au:S/C:P/I:N/A:N) [1], indicating a medium-to-high severity with partial confidentiality impact.
Mitigation
The vulnerability is fixed in TYPO3 versions 4.1.14, 4.2.13, 4.3.4, and 4.4.1 [1]. Administrators should upgrade immediately. Debian also issued DSA-2098-1 to address this issue [4]. No workarounds are documented; updating is the recommended action.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typo3/cms-backendPackagist | < 4.1.14 | 4.1.14 |
typo3/cms-backendPackagist | >= 4.2.0, < 4.2.13 | 4.2.13 |
typo3/cms-backendPackagist | >= 4.3.0, < 4.3.4 | 4.3.4 |
typo3/cms-backendPackagist | >= 4.4.0, < 4.4.1 | 4.4.1 |
Affected products
2- TYPO3/TYPO3description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4rvc-5hrh-qmwfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-3662ghsaADVISORY
- bugs.debian.org/cgi-bin/bugreport.cgighsax_refsource_MISCWEB
- security-tracker.debian.org/tracker/CVE-2010-3662ghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-sa-2010-012/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.