GHSA-9895-53fc-98v2: 
PHP vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in TYPO3 CMS, identified as GHSA-9895-53fc-98v2, affecting versions 6.2.0 to 6.2.17. The vulnerability was disclosed on February 16, 2016, and specifically impacts the database abstraction layer (dbal) extension when configured in MySQL passthrough mode (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from a flaw in the database escaping API of TYPO3's dbal extension. All queries utilizing the DatabaseConnection::sql_query method are vulnerable to SQL injection, even when arguments are properly escaped using DatabaseConnection::quoteStr beforehand. The vulnerability has been assigned a high severity rating, with a suggested CVSS v2.0 score of AV:N/AC:M/Au:N/C:C/I:P/A:N/E:F/RL:O/RC:C (TYPO3 Advisory).

The SQL injection vulnerability could potentially allow attackers to execute unauthorized database queries, leading to data breaches and compromise of confidential information stored in the TYPO3 CMS database. The high severity rating indicates significant potential impact on system security (GitHub Advisory).

The vulnerability was patched in TYPO3 version 6.2.18. Users are strongly advised to update to this version to address the security issue. The fix was credited to Mohamed Rebai, who discovered and reported the vulnerability (TYPO3 Advisory).