Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNjgzLTM1dzktMjhnNc4AAwWi

Multiple vulnerabilities in extension "Newsletter subscriber management" (fp_newsletter)

The CAPTCHA of the extension can be bypassed which may result in automated creation of various newsletter subscribers. It is possible to provide arbitrary subscription UIDs to the deleteAction of the extension resulting in all newsletter subscribers to be unsubscribed. Insufficient access checks in the createAction and unsubscribeAction can be used to obtain data of existing newsletter subscribers.

Permalink: https://github.com/advisories/GHSA-f683-35w9-28g5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNjgzLTM1dzktMjhnNc4AAwWi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 11 months ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-f683-35w9-28g5, CVE-2022-47408
References:

Repository: https://github.com/bihor/fp_newsletter
Blast Radius: 1.0

Affected Packages

packagist:fixpunkt/fp-newsletter

Dependent packages: 0
Dependent repositories: 0
Downloads: 16,898 total
Affected Version Ranges: < 1.1.1, >= 2.0.0, < 2.1.2, >= 2.2.0, < 3.2.6
Fixed in: 1.1.1, 2.1.2, 3.2.6
All affected versions: 0.17.4, 0.17.5, 0.18.0, 1.0.0, 1.0.5, 1.1.0, 2.0.0, 2.0.4, 2.1.0, 2.1.1, 2.2.1, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.5, 2.3.6, 2.4.0, 3.0.0, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.2.2, 3.2.5
All unaffected versions: 1.1.1, 1.2.0, 1.2.4, 2.1.2, 3.2.6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 5.0.0, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 7.0.0, 7.0.1