Veracode Vulnerability DatabaseVERACODE:48641Broken Access Control
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
39.6%
in2code/powermail is vulnerable to Broken Access Control. The vulnerability is due to the lack of proper validation in the OutputController actions within the Powermail extension, allowing an unauthenticated attacker to edit, update, delete, or export data of persisted forms when the Powermail Frontend plugins are used.
References
github.com/advisories/GHSA-9jqr-5x45-pgw8
github.com/in2code-de/powermail/commit/04a010c4009202e8e1b4c72accd4d7b2771b80b3
github.com/in2code-de/powermail/commit/2c8a1bf7669eb0661e8a93164f57e4b653ac3408
github.com/in2code-de/powermail/commit/6e94ec5e0c7b553c467b826df1b922db6c2ad08e
github.com/in2code-de/powermail/commit/f56f8eefe151ad67cbd32c21f1106953b8e4f19f
typo3.org/security/advisory/typo3-ext-sa-2024-006
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
39.6%