Home > Vulnerability Database > CVE-2023-50461

Mend.io Vulnerability Database

CVE-2023-50461

Date: August 19, 2025

The “Configuration” backend module of the extension allows an authenticated user to write arbitrary page TSConfig for folders configured as “Direct Mail”. Exploiting the vulnerability may lead to Configuration Injection (TYPO3 10.4 and above) and to Arbitrary Code Execution (TYPO3 9.5 and below).\n\nA valid backend user account having access to the Direct Mail \"Configuration\" backend module is needed in order to exploit this vulnerability.

Language: PHP

Severity Score

8.8

Related Resources (5)

Url: https://github.com/kartolo/direct_mail

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/directmailteam/direct-mail/CVE-2023-50461.yaml

Url: https://typo3.org/security/advisory/typo3-ext-sa-2023-011

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-50461

Url: https://www.mend.io/vulnerability-database/CVE-2023-50461

Severity Score

8.8

Weakness Type (CWE)

External Control of System or Configuration Setting

CWE-15

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-95

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-50461

Date: August 19, 2025

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?