Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Extension "powermail" by TYPO3

    CVE-2025-7899 (GCVE-0-2025-7899)

    Vulnerability from nvd – Published: 2025-07-22 10:18 – Updated: 2025-07-22 14:18
    VLAI
    Title
    Insecure Direct Object Reference in extension "powermail" (powermail)
    Summary
    The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    TYPO3 Extension "powermail" Affected: 12.0.0 , ≤ 12.5.2 (semver)
    Affected: 13.0.0 (semver)
    Create a notification for this product.
    Date Public
    2025-07-22 08:00
    Credits
    Riny van Tiggelen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7899",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-22T14:17:27.489175Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-22T14:18:12.927Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://packagist.org/",
              "defaultStatus": "unaffected",
              "packageName": "in2code/powermail",
              "product": "Extension \"powermail\"",
              "repo": "https://github.com/in2code-de/powermail",
              "vendor": "TYPO3",
              "versions": [
                {
                  "lessThanOrEqual": "12.5.2",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Riny van Tiggelen"
            }
          ],
          "datePublic": "2025-07-22T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eThe powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003earbitrary\u003c/span\u003e\u0026nbsp;files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0\u003c/div\u003e"
                }
              ],
              "value": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-22T10:18:38.449Z",
            "orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
            "shortName": "TYPO3"
          },
          "references": [
            {
              "url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insecure Direct Object Reference in extension \"powermail\" (powermail)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "assignerShortName": "TYPO3",
        "cveId": "CVE-2025-7899",
        "datePublished": "2025-07-22T10:18:38.449Z",
        "dateReserved": "2025-07-19T12:40:12.631Z",
        "dateUpdated": "2025-07-22T14:18:12.927Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-7899 (GCVE-0-2025-7899)

    Vulnerability from cvelistv5 – Published: 2025-07-22 10:18 – Updated: 2025-07-22 14:18
    VLAI
    Title
    Insecure Direct Object Reference in extension "powermail" (powermail)
    Summary
    The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    TYPO3 Extension "powermail" Affected: 12.0.0 , ≤ 12.5.2 (semver)
    Affected: 13.0.0 (semver)
    Create a notification for this product.
    Date Public
    2025-07-22 08:00
    Credits
    Riny van Tiggelen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-7899",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-22T14:17:27.489175Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-22T14:18:12.927Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://packagist.org/",
              "defaultStatus": "unaffected",
              "packageName": "in2code/powermail",
              "product": "Extension \"powermail\"",
              "repo": "https://github.com/in2code-de/powermail",
              "vendor": "TYPO3",
              "versions": [
                {
                  "lessThanOrEqual": "12.5.2",
                  "status": "affected",
                  "version": "12.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "13.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Riny van Tiggelen"
            }
          ],
          "datePublic": "2025-07-22T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eThe powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003earbitrary\u003c/span\u003e\u0026nbsp;files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0\u003c/div\u003e"
                }
              ],
              "value": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-22T10:18:38.449Z",
            "orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
            "shortName": "TYPO3"
          },
          "references": [
            {
              "url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insecure Direct Object Reference in extension \"powermail\" (powermail)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "assignerShortName": "TYPO3",
        "cveId": "CVE-2025-7899",
        "datePublished": "2025-07-22T10:18:38.449Z",
        "dateReserved": "2025-07-19T12:40:12.631Z",
        "dateUpdated": "2025-07-22T14:18:12.927Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }