Description
The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.
Remediation
References
Related Vulnerabilities
WordPress Plugin Enmask Captcha Malicious Redirects (1.3)
WordPress Plugin Premmerce Permalink Manager for WooCommerce Local File Inclusion (2.3.10)
WordPress Plugin Ultimate Affiliate Pro Multiple Cross-Site Scripting Vulnerabilities (3.6)
WordPress Plugin Dropdown and scrollable Text Cross-Site Scripting (2.0)
JBoss Application Server Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-3609)