Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNjUyLXhjZ3gtZjg1bc4AA_B1
"powermail" (powermail) Insecure Direct Object Reference (IDOR)
An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNjUyLXhjZ3gtZjg1bc4AA_B1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C
Identifiers: GHSA-p652-xcgx-f85m, CVE-2024-45232
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-45232
- https://github.com/in2code-de/powermail/commit/061756732357206f2f13bf39a0676dd266ec9586
- https://github.com/in2code-de/powermail/commit/ac402d4972c77dd119c8db6ffe594c15e8ae0bc5
- https://github.com/in2code-de/powermail/commit/e2ddfaa06d29019d60be02b5a3da04b237ed760b
- https://github.com/in2code-de/powermail/commit/f58d70311799ae5f6acbec52ea9206d21eba91bb
- https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-45232.yaml
- https://typo3.org/security/advisory/typo3-ext-sa-2024-006
- https://github.com/advisories/GHSA-p652-xcgx-f85m
Blast Radius: 10.3
Affected Packages
packagist:in2code/powermail
Dependent packages: 28Dependent repositories: 33
Downloads: 1,865,209 total
Affected Version Ranges: < 7.5.0, >= 8.0.0, < 8.5.0, >= 9.0.0, < 10.9.0, >= 11.0.0, < 12.4.0
Fixed in: 7.5.0, 8.5.0, 10.9.0, 12.4.0
All affected versions: 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.12.0, 3.13.0, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.20.0, 3.21.0, 3.21.1, 3.22.0, 3.22.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 5.0.0, 5.0.1, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.5.0, 5.6.0, 6.0.0, 6.1.0, 6.2.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 8.0.0, 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.4.0, 8.4.1, 8.4.2, 9.0.0, 9.0.1, 9.0.2, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.6.0, 10.6.1, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.8.0, 10.8.1, 10.8.2, 11.0.0, 11.0.1, 11.1.0, 11.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.3.0, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5
All unaffected versions: 7.5.0, 7.5.1, 8.5.0, 8.5.1, 10.9.0, 10.9.1, 10.9.2, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4