- Release Date: October 15, 2019
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Vulnerability Type: Information Disclosure
- Affected Versions: 5.2.2 and below
- Severity: Medium
- Suggested CVSS v3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:X
- CVE: CVE-2019-16698
A missing access check in the backend module of the extension allows a backend user without access to configured tables (e.g. fe_users, tt_address) to view and export data of users subscribed to a newsletter.
An updated version 5.2.3 is available from the TYPO3 extension manager and at https://extensions.typo3.org/extension/download/direct_mail/5.2.3/zip/
Users of the extension are advised to update the extension as soon as possible.
Credits go to Markus Klein who discovered and reported the vulnerability.