Login Sign Up

CVE-2021-38302

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows SQL injection in the Newsletter extension for TYPO3 CMS. Attackers can execute arbitrary SQL commands through the extension's input fields, potentially compromising the database. All TYPO3 installations using Newsletter extension versions through 4.0.0 are affected.

💻 Affected Systems

Products:
  • TYPO3 Newsletter extension
Versions: All versions through 4.0.0
Operating Systems: All platforms running TYPO3
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Newsletter extension to be installed and active in TYPO3 CMS.

📦 What is this software?

Newsletter by Newsletter Project

View all CVEs affecting Newsletter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information (user credentials, personal data), and potential website defacement.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are commonly exploited. Requires access to Newsletter extension functionality, which typically requires some level of authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.1 or later

Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2021-014

Restart Required: No

Instructions:

1. Update the Newsletter extension to version 4.0.1 or later via TYPO3 Extension Manager. 2. Clear all caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable Newsletter extension

all

Temporarily disable the vulnerable extension until patching is possible

typo3cms extension:deactivate newsletter

Implement WAF rules

all

Add web application firewall rules to block SQL injection patterns targeting Newsletter endpoints

🧯 If You Can't Patch

  • Restrict access to Newsletter functionality to trusted users only
  • Implement database-level controls: use least privilege accounts, enable query logging, and review database permissions

🔍 How to Verify

Check if Vulnerable:

Check TYPO3 Extension Manager for Newsletter extension version. If version is 4.0.0 or earlier, system is vulnerable.

Check Version:

typo3cms extension:list | grep newsletter

Verify Fix Applied:

Verify Newsletter extension version is 4.0.1 or later in TYPO3 Extension Manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from TYPO3 application
  • Multiple failed login attempts through Newsletter forms
  • SQL error messages in application logs

Network Indicators:

  • SQL injection patterns in HTTP requests to Newsletter endpoints
  • Unusual database connection patterns from web server

SIEM Query:

source="typo3.log" AND ("SQL" OR "database error" OR "newsletter")

📊 Metadata

CVE ID: CVE-2021-38302
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38302, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)