- Release Date: December 13, 2022
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "Newsletter subscriber management" (fp_newsletter)
- Composer Package Name: fixpunkt/fp-newsletter
- Vulnerability Type: Information Disclosure and Broken Access Control
- Affected Versions: 1.1.0 and below, 1.2.0, 2.0.0-2.1.0, 2.2.1-2.4.0, 3.0.0-3.2.5
- Severity: High
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
- References: CVE-2022-47408, CVE-2022-47409, CVE-2022-47410, CVE-2022-47411, CWE-284, CWE-200
Problem Description
The captcha of the extension can be bypassed which may result in automated creation of various newsletter subscribers. It is possible to provide arbitrary subscription UIDs to the deleteAction of the extension resulting in all newsletter subscribers to be unsubscribed. Insufficient access checks in the createAction and unsubscribeAction can be used to obtain data of existing newsletter subscribers.
Solution
Updated versions 1.1.1, 2.1.2 and 3.2.6 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/fp_newsletter/1.1.1/zip
https://extensions.typo3.org/extension/download/fp_newsletter/2.1.2/zip
https://extensions.typo3.org/extension/download/fp_newsletter/3.2.6/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to Martin Waleczek for reporting the captcha bypass vulnerability and to TYPO3 core & security team member Oliver Hader for reporting the other vulnerabilities. Thanks to Kurt Gusbeth for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.