Martin Waleczek

**Name of the Vulnerable Software and Affected Versions** fp newsletter extension versions 1.0 through 1.1.0 fp newsletter extension version 1.2.0 fp newsletter extension versions 2.0 through 2.1.1 fp newsletter extension versions 2.2.1 through 2.4.0 fp newsletter extension versions 3.0 through 3.2.5 **Description** The issue concerns a CAPTCHA bypass in the fp newsletter extension for TYPO3, which can lead to subscribing many people. This bypass may result in the automated creation of various newsletter subscribers. Additionally, it is possible to provide arbitrary subscription UIDs to the `deleteAction` of the extension, resulting in all newsletter subscribers being unsubscribed. Insufficient access checks in the `createAction` and `unsubscribeAction` can be used to obtain data of existing newsletter subscribers. **Recommendations** For fp newsletter extension versions 1.0 through 1.1.0, update to version 1.1.1 or later. For fp newsletter extension version 1.2.0, update to version 2.1.2 or later. For fp newsletter extension versions 2.0 through 2.1.1, update to version 2.1.2 or later. For fp newsletter extension versions 2.2.1 through 2.4.0, update to version 3.2.6 or later. For fp newsletter extension versions 3.0 through 3.2.5, update to version 3.2.6 or later. As a temporary workaround, consider restricting access to the `createAction` and `unsubscribeAction` functions until a patch is available. Avoid using the `deleteAction` with arbitrary subscription UIDs until the issue is resolved.