CVE-2024-45232

Name of the Vulnerable Software and Affected Versions powermail extension versions prior to 7.5.0 powermail extension versions prior to 8.5.0 powermail extension versions prior to 10.9.0 powermail extension versions prior to 12.4.0

Description An issue was discovered in the powermail extension for TYPO3, where it fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database, which is the default setting.

Recommendations For versions prior to 7.5.0, update to version 7.5.0 or later. For versions prior to 8.5.0, update to version 8.5.0 or later. For versions prior to 10.9.0, update to version 10.9.0 or later. For versions prior to 12.4.0, update to version 12.4.0 or later. As a temporary workaround, consider disabling the confirmationAction until a patch is available. Restrict access to the plugin.tx powermail.settings.db.enable configuration to minimize the risk of exploitation. Avoid using the mail parameter in the affected confirmationAction until the issue is resolved.