CVE-2022-47408

Name of the Vulnerable Software and Affected Versions fp newsletter extension versions 1.0 through 1.1.0 fp newsletter extension version 1.2.0 fp newsletter extension versions 2.0 through 2.1.1 fp newsletter extension versions 2.2.1 through 2.4.0 fp newsletter extension versions 3.0 through 3.2.5

Description The issue concerns a CAPTCHA bypass in the fp newsletter extension for TYPO3, which can lead to subscribing many people. This bypass may result in the automated creation of various newsletter subscribers. Additionally, it is possible to provide arbitrary subscription UIDs to the deleteAction of the extension, resulting in all newsletter subscribers being unsubscribed. Insufficient access checks in the createAction and unsubscribeAction can be used to obtain data of existing newsletter subscribers.

Recommendations For fp newsletter extension versions 1.0 through 1.1.0, update to version 1.1.1 or later. For fp newsletter extension version 1.2.0, update to version 2.1.2 or later. For fp newsletter extension versions 2.0 through 2.1.1, update to version 2.1.2 or later. For fp newsletter extension versions 2.2.1 through 2.4.0, update to version 3.2.6 or later. For fp newsletter extension versions 3.0 through 3.2.5, update to version 3.2.6 or later. As a temporary workaround, consider restricting access to the createAction and unsubscribeAction functions until a patch is available. Avoid using the deleteAction with arbitrary subscription UIDs until the issue is resolved.