GHSA-f683-35w9-28g5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f683-35w9-28g5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-f683-35w9-28g5/GHSA-f683-35w9-28g5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f683-35w9-28g5
- Aliases
- Published
- 2022-12-14T21:30:16Z
- Modified
- 2023-11-08T04:11:00.229087Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Multiple vulnerabilities in extension "Newsletter subscriber management" (fp_newsletter)
- Details
-
The CAPTCHA of the extension can be bypassed which may result in automated creation of various newsletter subscribers. It is possible to provide arbitrary subscription UIDs to the
deleteActionof the extension resulting in all newsletter subscribers to be unsubscribed. Insufficient access checks in thecreateActionandunsubscribeActioncan be used to obtain data of existing newsletter subscribers. - Database specific
{ "nvd_published_at": "2022-12-14T21:15:00Z", "cwe_ids": [ "CWE-863" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-02-08T00:23:48Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-47408
- https://github.com/bihor/fp_newsletter/commit/bc673cd9ab04f3fdd1225303f2ccb378b11a3747
- https://github.com/FriendsOfPHP/security-advisories/blob/master/fixpunkt/fp-newsletter/CVE-2022-47408.yaml
- https://github.com/bihor/fp_newsletter
- https://typo3.org/security/advisory/typo3-ext-sa-2022-017
Affected packages
Packagist / fixpunkt/fp-newsletter
Package
- Name
- fixpunkt/fp-newsletter
- Purl
- pkg:composer/fixpunkt/fp-newsletter
Packagist / fixpunkt/fp-newsletter
Package
- Name
- fixpunkt/fp-newsletter
- Purl
- pkg:composer/fixpunkt/fp-newsletter
Packagist / fixpunkt/fp-newsletter
Package
- Name
- fixpunkt/fp-newsletter
- Purl
- pkg:composer/fixpunkt/fp-newsletter