php · typo3/cms-coreCritical
typo3/cms-core: Form Framework SQL Injection and Privilege Escalation via DataHandler
Backend users with write access to the form_definition table can bypass Form Framework's persistence validation and permission checks via DataHandler, allowing
What changed
Backend users with write access to the form_definition table can bypass Form Framework's persistence validation and permission checks via DataHandler, allowing arbitrary form configuration injection, SQL injection, and privilege escalation.
Who it affects
TYPO3 CMS instances where backend users have write access to the form_definition table.
What to do today
Update to TYPO3 version 14.3.3 LTS immediately.
The trail
Collected→
Audited→
Written→
Published