Miggo Logo
Miggo Vulnerability Database
CVE-2022-35628

CVE-2022-35628: SQL Injection in typo3 extension "LUX - TYPO3 Marketing Automation"

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-35628
GHSA ID
GHSA-rpxg-hg79-h8q9
EPSS Score
0.9031%
CWE
CWE-89
Published
7/15/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
in2code/luxcomposer>= 18.0.0, < 24.0.224.0.2
in2code/luxcomposer< 17.6.117.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes a SQL injection issue in the TYPO3 lux extension but does not include concrete code examples, commit diffs, or patch details that would allow identification of specific vulnerable functions. While SQL injection typically occurs when user input is directly interpolated into SQL queries without proper sanitization (e.g., in repository methods using raw SQL with concatenated parameters), the lack of access to the actual pre-patch code or patch changes makes it impossible to identify exact function names and file paths with high confidence. The advisory mentions general failure to sanitize user input but provides no technical specifics about the affected code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* SQL inj**tion issu* w*s *is*ov*r** in t** lux *xt*nsion ***or* **.*.*, *n* **.x t*rou** **.x ***or* **.*.*, *or TYPO*.

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * SQL inj**tion issu* in t** TYPO* lux *xt*nsion *ut *o*s not in*lu** *on*r*t* *o** *x*mpl*s, *ommit *i**s, or p*t** **t*ils t**t woul* *llow i**nti*i**tion o* sp**i*i* vuln*r**l* *un*tions. W*il* SQL