- Release Date: August 9, 2018
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Vulnerability Type: Cross-site scripting
- Affected Versions: 2.25.2 and below
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
- CVE: not assigned yet
The extension uses \TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS(), which is known to be vulnerable to XSS.
Note: Affected is only the old version 2.25.2 and below of Powermail for TYPO3 6.2 and 7.6
An updated version 2.25.3 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/powermail/2.25.3/zip/.
Users of the extension are advised to update the extension as soon as possible.
Thanks to Ralf Merz who discovered and reported the vulnerability.