GoogleOSV:GHSA-Q25C-R482-77P9powermail TYPO3 extension has Insecure Direct Object Reference
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
37.7%
An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.
References
github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-47047.yaml
github.com/in2code-de/powermail
github.com/in2code-de/powermail/commit/095a17637b6370aefd5390663cc11af47210f575
github.com/in2code-de/powermail/commit/682194d71a5f67fa39d899a9625ba69bb62f9bd8
github.com/in2code-de/powermail/commit/91015da289111b86b8dbcb2553d5a722b944231e
github.com/in2code-de/powermail/commit/bbadb8d7a71ddb469d07d106551938c91465b811
nvd.nist.gov/vuln/detail/CVE-2024-47047
typo3.org/security/advisory/typo3-ext-sa-2024-007
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
37.7%