Christian Pschorr

**Name of the Vulnerable Software and Affected Versions** powermail extension versions prior to 7.5.0 powermail extension versions prior to 8.5.0 powermail extension versions prior to 10.9.0 powermail extension versions prior to 12.4.0 **Description** An issue was discovered in the powermail extension for TYPO3, where it fails to validate the `mail` parameter of the `confirmationAction`, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database, which is the default setting. **Recommendations** For versions prior to 7.5.0, update to version 7.5.0 or later. For versions prior to 8.5.0, update to version 8.5.0 or later. For versions prior to 10.9.0, update to version 10.9.0 or later. For versions prior to 12.4.0, update to version 12.4.0 or later. As a temporary workaround, consider disabling the `confirmationAction` until a patch is available. Restrict access to the `plugin.tx powermail.settings.db.enable` configuration to minimize the risk of exploitation. Avoid using the `mail` parameter in the affected `confirmationAction` until the issue is resolved.