Extension Address List
Monthly
SQL injection in the TYPO3 'address_list' extension's AddressRepository::getSqlQuery() method allows remote attackers to manipulate database queries when the method is called with untrusted input. The flaw is latent - the vulnerable method is not invoked anywhere within the extension itself, so default installations are not exposed, but custom or third-party extensions that reuse this method become injection sinks. No public exploit identified at time of analysis, and no EPSS or KEV signal accompanies the advisory.
SQL injection in the TYPO3 'address_list' extension's AddressRepository::getSqlQuery() method allows remote attackers to manipulate database queries when the method is called with untrusted input. The flaw is latent - the vulnerable method is not invoked anywhere within the extension itself, so default installations are not exposed, but custom or third-party extensions that reuse this method become injection sinks. No public exploit identified at time of analysis, and no EPSS or KEV signal accompanies the advisory.