GHSA-9jqr-5x45-pgw8

Source

https://github.com/advisories/GHSA-9jqr-5x45-pgw8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-9jqr-5x45-pgw8/GHSA-9jqr-5x45-pgw8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9jqr-5x45-pgw8

Aliases

CVE-2024-45233

Published

2024-08-29T00:31:35Z

Modified

2024-08-30T15:14:51.652285Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Powermail TYPO3 extension Broken Access Control in the OutputController

Details

An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail Frontend plugins, an unauthenticated attacker can exploit this to edit, update, delete, or export data of persisted forms. This can only be exploited when the Powermail Frontend plugins are used. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.

Database specific

{
    "nvd_published_at": "2024-08-29T00:15:09Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-285"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-29T18:04:54Z"
}

References

Affected packages

Packagist / in2code/powermail

Package

Name: in2code/powermail
Purl: pkg:composer/in2code/powermail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.5.0

Affected versions

3.*

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.7.0

3.8.0

3.9.0

3.10.0

3.10.1

3.11.0

3.11.1

3.11.2

3.12.0

3.13.0

3.14.0

3.15.0

3.16.0

3.17.0

3.18.0

3.18.1

3.18.2

3.19.0

3.20.0

3.21.0

3.21.1

3.22.0

3.22.1

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0

5.*

5.0.0

5.0.1

5.1.0

5.2.0

5.2.1

5.2.2

5.3.0

5.3.1

5.3.2

5.4.0

5.5.0

5.6.0

6.*

6.0.0

6.1.0

6.2.0

7.*

7.0.0

7.1.0

7.2.0

7.3.0

7.3.1

7.4.0

7.4.1

7.4.2

7.4.3

7.4.4

Packagist / in2code/powermail

Package

Name: in2code/powermail
Purl: pkg:composer/in2code/powermail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.5.0

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.3.0

8.3.1

8.3.2

8.3.3

8.4.0

8.4.1

8.4.2

Packagist / in2code/powermail

Package

Name: in2code/powermail
Purl: pkg:composer/in2code/powermail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

10.9.0

Affected versions

9.*

9.0.0

9.0.1

9.0.2

10.*

10.0.0

10.1.0

10.2.0

10.3.0

10.3.1

10.3.2

10.3.3

10.4.0

10.4.1

10.4.2

10.4.3

10.5.0

10.6.0

10.6.1

10.7.0

10.7.1

10.7.2

10.7.3

10.7.4

10.8.0

10.8.1

10.8.2

Packagist / in2code/powermail

Package

Name: in2code/powermail
Purl: pkg:composer/in2code/powermail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

12.4.0

Affected versions

11.*

11.0.0

11.0.1

11.1.0

11.2.0

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.1.0

12.1.1

12.2.0

12.2.1

12.3.0

12.3.1

12.3.2

12.3.3

12.3.4

12.3.5