GHSA-x769-3cwv-f8hc

Source

https://github.com/advisories/GHSA-x769-3cwv-f8hc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x769-3cwv-f8hc/GHSA-x769-3cwv-f8hc.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-x769-3cwv-f8hc

Aliases

CVE-2025-7899

Published

2025-07-22T12:30:43Z

Modified

2025-07-22T15:12:19.996256Z

Severity

6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Powermail extension for TYPO3 allows Insecure Direct Object Reference

Details

The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-22T14:37:09Z",
    "nvd_published_at": "2025-07-22T11:15:24Z",
    "cwe_ids": [
        "CWE-639"
    ]
}

References

Affected packages

Packagist / in2code/powermail

Package

Name: in2code/powermail
Purl: pkg:composer/in2code/powermail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.0.0

Fixed

12.5.3

Affected versions

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.1.0

12.1.1

12.2.0

12.2.1

12.3.0

12.3.1

12.3.2

12.3.3

12.3.4

12.3.5

12.4.0

12.4.1

12.4.2

12.4.3

12.4.4

12.5.0

12.5.1

12.5.2

Packagist / in2code/powermail

Package

Name: in2code/powermail
Purl: pkg:composer/in2code/powermail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.0.1

Affected versions

13.*

13.0.0