PT-2024-31491 · Typo3 · Powermail Extension

Oliver Hader

Published

2024-08-28

Updated

2024-09-02

CVE-2024-45233

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions powermail extension versions through 12.3.5 for TYPO3

Description An issue was discovered in the powermail extension, resulting in Broken Access Control due to missing or insufficiently implemented access checks in several actions of the OutputController. This allows an unauthenticated attacker to edit, update, delete, or export data of persisted forms when the Powermail Frontend plugins are used.

Recommendations For versions through 12.3.5, update to version 7.5.0, 8.5.0, 10.9.0, or 12.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the Powermail Frontend plugins until a patch is applied. Avoid using the vulnerable actions in the OutputController until the issue is resolved.

Fix

Improper Access Control

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-285

Related Identifiers

CVE-2024-45233

GHSA-9JQR-5X45-PGW8

Affected Products

Powermail Extension

PT-2024-31491 · Typo3 · Powermail Extension

CVE-2024-45233

Weakness Enumeration

Related Identifiers

Affected Products

References · 15