TYPO3-EXT-SA-2015-004: Information Disclosure in Direct Mail Subscription (direct_mail_subscription)

It has been discovered that the extension "Direct Mail Subscription" (direct_mail_subscription) is susceptible to Information Disclosure.

Release Date: January 16, 2015

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: 2.0.1

Vulnerability Type: Information Disclosure

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C

Problem Description: The extension discloses personal data of newsletter subscribers. Such data might be cached and indexed by search engines.

Solution: Updated version 2.0.2 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/direct_mail_subscription/2.0.2/t3x/. If you are using a custom template, please consider the removal of name and email markers throughout the template!

Credits: Credits go to Ingo Müller and Stefan Neufeind who discovered the vulnerability.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.