GHSA-p652-xcgx-f85m

Suggest an improvement
Source
https://github.com/advisories/GHSA-p652-xcgx-f85m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-p652-xcgx-f85m/GHSA-p652-xcgx-f85m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p652-xcgx-f85m
Aliases
  • CVE-2024-45232
Published
2024-08-29T17:59:02Z
Modified
2024-08-30T14:38:13.901241Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
"powermail" (powermail) Insecure Direct Object Reference (IDOR)
Details

An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.

Database specific
{
    "nvd_published_at": "2024-08-29T00:15:09Z",
    "cwe_ids": [
        "CWE-639"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-29T17:59:02Z"
}
References

Affected packages

Packagist / in2code/powermail

Package

Name
in2code/powermail
Purl
pkg:composer/in2code/powermail

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
12.4.0

Affected versions

11.*

11.0.0
11.0.1
11.1.0
11.2.0

12.*

12.0.0
12.0.1
12.0.2
12.0.3
12.1.0
12.1.1
12.2.0
12.2.1
12.3.0
12.3.1
12.3.2
12.3.3
12.3.4
12.3.5

Packagist / in2code/powermail

Package

Name
in2code/powermail
Purl
pkg:composer/in2code/powermail

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0
Fixed
10.9.0

Affected versions

9.*

9.0.0
9.0.1
9.0.2

10.*

10.0.0
10.1.0
10.2.0
10.3.0
10.3.1
10.3.2
10.3.3
10.4.0
10.4.1
10.4.2
10.4.3
10.5.0
10.6.0
10.6.1
10.7.0
10.7.1
10.7.2
10.7.3
10.7.4
10.8.0
10.8.1
10.8.2

Packagist / in2code/powermail

Package

Name
in2code/powermail
Purl
pkg:composer/in2code/powermail

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.5.0

Affected versions

8.*

8.0.0
8.0.1
8.0.2
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.3.0
8.3.1
8.3.2
8.3.3
8.4.0
8.4.1
8.4.2

Packagist / in2code/powermail

Package

Name
in2code/powermail
Purl
pkg:composer/in2code/powermail

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.5.0

Affected versions

3.*

3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.10.0
3.10.1
3.11.0
3.11.1
3.11.2
3.12.0
3.13.0
3.14.0
3.15.0
3.16.0
3.17.0
3.18.0
3.18.1
3.18.2
3.19.0
3.20.0
3.21.0
3.21.1
3.22.0
3.22.1

4.*

4.0.0
4.0.1
4.0.2
4.1.0
4.2.0
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.4.0

5.*

5.0.0
5.0.1
5.1.0
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.3.2
5.4.0
5.5.0
5.6.0

6.*

6.0.0
6.1.0
6.2.0

7.*

7.0.0
7.1.0
7.2.0
7.3.0
7.3.1
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4