An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.
References
Link | Resource |
---|---|
https://typo3.org/security/advisory/typo3-ext-sa-2024-007 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
27 Sep 2024, 17:03
Type | Values Removed | Values Added |
---|---|---|
First Time |
In2code powermail
In2code |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | CWE-639 | |
CPE | cpe:2.3:a:in2code:powermail:*:*:*:*:*:typo3:*:* | |
References | () https://typo3.org/security/advisory/typo3-ext-sa-2024-007 - Vendor Advisory |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 Sep 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-17 14:15
Updated : 2024-09-27 17:03
NVD link : CVE-2024-47047
Mitre link : CVE-2024-47047
CVE.ORG link : CVE-2024-47047
JSON object : View
Products Affected
in2code
- powermail
CWE
CWE-639
Authorization Bypass Through User-Controlled Key