Login Sign Up

CVE-2022-35628

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in the lux extension for TYPO3 CMS. Attackers can execute arbitrary SQL commands through the extension's frontend forms, potentially compromising the database. All TYPO3 installations using vulnerable versions of the lux extension are affected.

💻 Affected Systems

Products:
  • TYPO3 lux extension
Versions: lux extension versions before 17.6.1, and 18.x through 24.x before 24.0.2
Operating Systems: All operating systems running TYPO3
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the lux extension to be installed and enabled in TYPO3. The vulnerability is in frontend forms provided by the extension.

📦 What is this software?

Living User Experience by In2code

View all CVEs affecting Living User Experience →

Living User Experience by In2code

View all CVEs affecting Living User Experience →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the TYPO3 application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection remains a critical vulnerability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit with automated tools. The advisory suggests exploitation through frontend forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: lux extension 17.6.1 or 24.0.2

Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2022-014

Restart Required: No

Instructions:

1. Update the lux extension via TYPO3 Extension Manager or Composer. 2. For version 17.x: Update to 17.6.1. 3. For versions 18.x-24.x: Update to 24.0.2. 4. Clear TYPO3 caches after update.

🔧 Temporary Workarounds

Disable lux extension

all

Temporarily disable the vulnerable lux extension until patching is possible

typo3cms extension:deactivate lux

Web Application Firewall

all

Implement WAF rules to block SQL injection patterns in lux extension requests

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in custom code
  • Restrict database user permissions to minimum required for the lux extension

🔍 How to Verify

Check if Vulnerable:

Check lux extension version in TYPO3 Extension Manager or via composer show innocead/lux

Check Version:

composer show innocead/lux | grep version

Verify Fix Applied:

Confirm lux extension version is 17.6.1 or 24.0.2 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts through lux forms
  • Suspicious parameter values in TYPO3 access logs

Network Indicators:

  • SQL injection payloads in HTTP POST requests to lux endpoints
  • Unusual database connection patterns

SIEM Query:

web_requests WHERE url CONTAINS 'lux' AND (params CONTAINS 'UNION' OR params CONTAINS 'SELECT' OR params CONTAINS 'OR 1=1')

📊 Metadata

CVE ID: CVE-2022-35628
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-35628, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)