Release Date: December 1, 2009
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: Version 2.6.4 and all versions below
Vulnerability Type: Cross-Site Scripting (XSS)
Solution: An updated version 2.6.5 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/direct_mail/2.6.5/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to TYPO3 Security Team member Georg Ringer who discovered and reported the issue.