GHSA-p6xx-fhfw-7mj7

Suggest an improvement
Source
https://github.com/advisories/GHSA-p6xx-fhfw-7mj7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-p6xx-fhfw-7mj7/GHSA-p6xx-fhfw-7mj7.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p6xx-fhfw-7mj7
Aliases
  • CVE-2023-50461
Published
2023-12-13T23:10:38Z
Modified
2024-11-30T05:28:23.535592Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Configuration Injection in extension "Direct Mail" (direct_mail)
Details

The “Configuration” backend module of the extension allows an authenticated user to write arbitrary page TSConfig for folders configured as “Direct Mail”. Exploiting the vulnerability may lead to Configuration Injection (TYPO3 10.4 and above) and to Arbitrary Code Execution (TYPO3 9.5 and below).

A valid backend user account having access to the Direct Mail "Configuration" backend module is needed in order to exploit this vulnerability.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T23:10:38Z"
}
References

Affected packages

Packagist / directmailteam/direct-mail

Package

Name
directmailteam/direct-mail
Purl
pkg:composer/directmailteam/direct-mail

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
9.5.2

Affected versions

9.*

9.0.0
9.0.1
9.0.2
9.1.1
9.1.2
9.1.3
9.2.0
9.2.1
9.2.2
9.3.0
9.4.0
9.5.0
9.5.1

Packagist / directmailteam/direct-mail

Package

Name
directmailteam/direct-mail
Purl
pkg:composer/directmailteam/direct-mail

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.3

Affected versions

7.*

7.0.0

v7.*

v7.0.1
v7.0.2

Packagist / directmailteam/direct-mail

Package

Name
directmailteam/direct-mail
Purl
pkg:composer/directmailteam/direct-mail

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.3

Affected versions

5.*

5.0
5.0.1
5.1.0
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4

v5.*

v5.1.1

6.*

6.0.0
6.0.1
6.0.2