Release Date: May 11, 2011 (Version 1)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: Version 1.6.0, 1.6.1 and 1.6.2
Vulnerability Type: Blind SQL Injection
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C (What's that?)
Problem Description: Failing to properly sanitize user-supplied input the extension is open to Blind SQL Injection attacks. The vulnerabilities allow website editors to inject arbitrary code in database queries. Exploiting this flaw requires TYPO3 editor permissions and granted access to the powermail administration module.
Solution: An updated version 1.6.3 is available from the TYPO3 extension manager and athttp://typo3.org/extensions/repository/view/powermail/1.6.3/. Users of the extension are advised to update the extension as soon as possible.
Update (May 11): In contrary to the initial version of the bulletin, the vulnerability only affects extension versions 1.6.X whereas version 1.6.3 fixes the issue.
Credits: Credits go to powermail team who discovered and fixed the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to thetypo3-announce mailing list to receive future Security Bulletins via E-mail.