TYPO3-EXT-SA-2024-007: Insecure Direct Object Reference in extension "powermail" (powermail)

Categories: Development Created by Torben Hansen
It has been discovered that the extension "powermail" (powermail) is susceptible to Insecure Direct Object Reference.

Problem Description

The extension fails to validate the “mail” parameter of the “createAction” resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this vulnerability to display user submitted data of all forms persisted by the extension. Note, this vulnerability can only be exploited when following conditions are met:

  • The extension is configured to save submitted form data to the database
  • The powermail plugin setting “Redirect to any other Page after submit” is not set
  • The powermail plugin setting “Text on submit page“ contains the variable “{powermail_all}” or other variables containing sensitive user submitted data.

Solution

Updated versions 7.5.1, 8.5.1, 10.9.1 and 12.4.1 are  available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/powermail/7.5.1/zip
https://extensions.typo3.org/extension/download/powermail/8.5.1/zip
https://extensions.typo3.org/extension/download/powermail/10.9.1/zip
https://extensions.typo3.org/extension/download/powermail/12.4.1/zip
Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Marcus Schwemer for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.