An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0
References
Link | Resource |
---|---|
https://typo3.org/security/advisory/typo3-ext-sa-2024-006 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
30 Aug 2024, 16:34
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
First Time |
In2code
In2code powermail |
|
References | () https://typo3.org/security/advisory/typo3-ext-sa-2024-006 - Third Party Advisory | |
CPE | cpe:2.3:a:in2code:powermail:*:*:*:*:*:typo3:*:* |
29 Aug 2024, 20:36
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-639 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.3 |
29 Aug 2024, 13:25
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
29 Aug 2024, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-29 00:15
Updated : 2024-08-30 16:34
NVD link : CVE-2024-45232
Mitre link : CVE-2024-45232
CVE.ORG link : CVE-2024-45232
JSON object : View
Products Affected
in2code
- powermail
CWE
CWE-639
Authorization Bypass Through User-Controlled Key