The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.
References:GSA_kwCzR0hTQS14NzY5LTNjd3YtZjhoY84ABKaQ
Powermail extension for TYPO3 allows Insecure Direct Object Reference
| Affected Packages | Affected Versions | Fixed Versions | |
|---|---|---|---|
| packagist:in2code/powermail | = 13.0.0, >= 12.0.0, < 12.5.3 | 13.0.1, 12.5.3 | |
Affected Version RangesAll affected versions12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.5.0, 12.5.1, 12.5.2, 13.0.0 All unaffected versions3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.12.0, 3.13.0, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.20.0, 3.21.0, 3.21.1, 3.22.0, 3.22.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 5.0.0, 5.0.1, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.5.0, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.5.1, 8.0.0, 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1, 9.0.0, 9.0.1, 9.0.2, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.6.0, 10.6.1, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.8.0, 10.8.1, 10.8.2, 10.9.0, 10.9.1, 10.9.2, 11.0.0, 11.0.1, 11.1.0, 11.2.0 |
|||