CVE-2024-45233
August 28, 2024
An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail Frontend plugins, an unauthenticated attacker can exploit this to edit, update, delete, or export data of persisted forms. This can only be exploited when the Powermail Frontend plugins are used. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.
Affected Packages
in2code/powermail (PHP):
Affected version(s) >=8.0.0 <8.5.0Fix Suggestion:
Update to version 8.5.0in2code/powermail (PHP):
Affected version(s) >=dev-bugfix-v12/969_required-argument-is-missing <7.5.0Fix Suggestion:
Update to version 7.5.0in2code/powermail (PHP):
Affected version(s) >=9.0.0 <10.9.0Fix Suggestion:
Update to version 10.9.0in2code/powermail (PHP):
Affected version(s) >=11.0.0 <12.4.0Fix Suggestion:
Update to version 12.4.0Related ResourcesĀ (7)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Exploit Maturity
FUNCTIONAL
EPSS
Base Score:
0.25
