Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNjgzLTM1dzktMjhnNc4AAwWi
Multiple vulnerabilities in extension "Newsletter subscriber management" (fp_newsletter)
The CAPTCHA of the extension can be bypassed which may result in automated creation of various newsletter subscribers. It is possible to provide arbitrary subscription UIDs to the deleteAction
of the extension resulting in all newsletter subscribers to be unsubscribed. Insufficient access checks in the createAction
and unsubscribeAction
can be used to obtain data of existing newsletter subscribers.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNjgzLTM1dzktMjhnNc4AAwWi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 11 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-f683-35w9-28g5, CVE-2022-47408
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-47408
- https://typo3.org/security/advisory/typo3-ext-sa-2022-017
- https://github.com/FriendsOfPHP/security-advisories/blob/master/fixpunkt/fp-newsletter/CVE-2022-47408.yaml
- https://github.com/bihor/fp_newsletter/commit/bc673cd9ab04f3fdd1225303f2ccb378b11a3747
- https://github.com/advisories/GHSA-f683-35w9-28g5
Blast Radius: 1.0
Affected Packages
packagist:fixpunkt/fp-newsletter
Dependent packages: 0Dependent repositories: 0
Downloads: 16,898 total
Affected Version Ranges: < 1.1.1, >= 2.0.0, < 2.1.2, >= 2.2.0, < 3.2.6
Fixed in: 1.1.1, 2.1.2, 3.2.6
All affected versions: 0.17.4, 0.17.5, 0.18.0, 1.0.0, 1.0.5, 1.1.0, 2.0.0, 2.0.4, 2.1.0, 2.1.1, 2.2.1, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.5, 2.3.6, 2.4.0, 3.0.0, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.2.2, 3.2.5
All unaffected versions: 1.1.1, 1.2.0, 1.2.4, 2.1.2, 3.2.6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 5.0.0, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 7.0.0, 7.0.1