CVE-2022-47409

2022-12-1421:15:14

[email protected]

web.nvd.nist.gov

typo3

newsletter subscriber management

unsubscribe operations

security vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

32.0%

JSON

An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Attackers can unsubscribe everyone via a series of modified subscription UIDs in deleteAction operations.

Affected configurations

Nvd

Node

fp_newsletter_projectfp_newsletterRange<1.1.1typo3

fp_newsletter_projectfp_newsletterRange2.0.0–2.1.2typo3

fp_newsletter_projectfp_newsletterRange2.2.1–2.4.0typo3

fp_newsletter_projectfp_newsletterRange3.0.0–3.2.6typo3

fp_newsletter_projectfp_newsletterMatch1.2.0typo3

VendorProductVersionCPE
fp_newsletter_projectfp_newsletter*cpe:2.3:a:fp_newsletter_project:fp_newsletter:*:*:*:*:*:typo3:*:*
fp_newsletter_projectfp_newsletter1.2.0cpe:2.3:a:fp_newsletter_project:fp_newsletter:1.2.0:*:*:*:*:typo3:*:*

Vendor	Product	Version	CPE
fp_newsletter_project	fp_newsletter	*	cpe:2.3:a:fp_newsletter_project:fp_newsletter::::::typo3::*
fp_newsletter_project	fp_newsletter	1.2.0	cpe:2.3:a:fp_newsletter_project:fp_newsletter:1.2.0:::::typo3::