- Release Date: September 17, 2024
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "powermail" (powermail)
- Composer Package Name: in2code/powermail
- Vulnerability Type: Insecure Direct Object Reference
- Affected Versions: 7.5.0 and below, 8.0.0 - 8.5.0, 9.0.0 - 10.9.0, 12.0.0 - 12.4.0
- Severity: Medium
- Suggested CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
- References: CVE-2024-47047, CWE-284
Problem Description
The extension fails to validate the “mail” parameter of the “createAction” resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this vulnerability to display user submitted data of all forms persisted by the extension. Note, this vulnerability can only be exploited when following conditions are met:
- The extension is configured to save submitted form data to the database
- The powermail plugin setting “Redirect to any other Page after submit” is not set
- The powermail plugin setting “Text on submit page“ contains the variable “{powermail_all}” or other variables containing sensitive user submitted data.
Solution
Updated versions 7.5.1, 8.5.1, 10.9.1 and 12.4.1 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/powermail/7.5.1/zip
https://extensions.typo3.org/extension/download/powermail/8.5.1/zip
https://extensions.typo3.org/extension/download/powermail/10.9.1/zip
https://extensions.typo3.org/extension/download/powermail/12.4.1/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to Marcus Schwemer for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.