CVE-2024-45232
August 28, 2024
An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0
Affected Packages
in2code/powermail (PHP):
Affected version(s) >=9.0.0 <10.9.0Fix Suggestion:
Update to version 10.9.0in2code/powermail (PHP):
Affected version(s) >=8.0.0 <8.5.0Fix Suggestion:
Update to version 8.5.0in2code/powermail (PHP):
Affected version(s) >=11.0.0 <12.4.0Fix Suggestion:
Update to version 12.4.0in2code/powermail (PHP):
Affected version(s) >=dev-bugfix-v12/969_required-argument-is-missing <7.5.0Fix Suggestion:
Update to version 7.5.0Related ResourcesĀ (8)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Exploit Maturity
FUNCTIONAL
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
EPSS
Base Score:
0.22
