CVE-2010-4891

Vulnerability

The Yet Another Calendar (ke_yac) extension for TYPO3, prior to version 1.1.2, contains a SQL injection vulnerability. The issue occurs via unspecified vectors, meaning the exact parameter or function is not detailed in the available references, but the vulnerability allows injection into SQL queries. All versions before 1.1.2 are affected [1].

Exploitation

An attacker can exploit this remotely without requiring authentication or special access. The exact attack vector is not disclosed, but given the nature of SQL injection, it likely involves sending crafted input to a vulnerable parameter (e.g., in a GET or POST request) that is unsafely used in a SQL query. No user interaction is needed beyond the attacker sending the malicious request to the TYPO3 instance running the vulnerable extension.

Impact

Successful exploitation allows a remote attacker to execute arbitrary SQL commands against the underlying database. This can lead to data theft (exposure of sensitive user or configuration data), data modification, or deletion. The scope of compromise is limited to the database accessed by the TYPO3 CMS, but could potentially be escalated to server compromise depending on database permissions and configuration.

Mitigation

The vulnerability is fixed in version 1.1.2 of the ke_yac extension, released by the TYPO3 extension repository [1]. Users should update to this version or later. No workarounds are documented in the available references. The extension is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.