Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Extension "powermail" by TYPO3
CVE-2025-7899 (GCVE-0-2025-7899)
Vulnerability from nvd – Published: 2025-07-22 10:18 – Updated: 2025-07-22 14:18
VLAI
EPSS
VEX
Title
Insecure Direct Object Reference in extension "powermail" (powermail)
Summary
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TYPO3 | Extension "powermail" |
Affected:
12.0.0 , ≤ 12.5.2
(semver)
Affected: 13.0.0 (semver) |
Date Public
2025-07-22 08:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T14:17:27.489175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T14:18:12.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org/",
"defaultStatus": "unaffected",
"packageName": "in2code/powermail",
"product": "Extension \"powermail\"",
"repo": "https://github.com/in2code-de/powermail",
"vendor": "TYPO3",
"versions": [
{
"lessThanOrEqual": "12.5.2",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Riny van Tiggelen"
}
],
"datePublic": "2025-07-22T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003earbitrary\u003c/span\u003e\u0026nbsp;files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0\u003c/div\u003e"
}
],
"value": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0"
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T10:18:38.449Z",
"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"shortName": "TYPO3"
},
"references": [
{
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Direct Object Reference in extension \"powermail\" (powermail)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"assignerShortName": "TYPO3",
"cveId": "CVE-2025-7899",
"datePublished": "2025-07-22T10:18:38.449Z",
"dateReserved": "2025-07-19T12:40:12.631Z",
"dateUpdated": "2025-07-22T14:18:12.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7899 (GCVE-0-2025-7899)
Vulnerability from cvelistv5 – Published: 2025-07-22 10:18 – Updated: 2025-07-22 14:18
VLAI
EPSS
VEX
Title
Insecure Direct Object Reference in extension "powermail" (powermail)
Summary
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TYPO3 | Extension "powermail" |
Affected:
12.0.0 , ≤ 12.5.2
(semver)
Affected: 13.0.0 (semver) |
Date Public
2025-07-22 08:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T14:17:27.489175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T14:18:12.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org/",
"defaultStatus": "unaffected",
"packageName": "in2code/powermail",
"product": "Extension \"powermail\"",
"repo": "https://github.com/in2code-de/powermail",
"vendor": "TYPO3",
"versions": [
{
"lessThanOrEqual": "12.5.2",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Riny van Tiggelen"
}
],
"datePublic": "2025-07-22T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003earbitrary\u003c/span\u003e\u0026nbsp;files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0\u003c/div\u003e"
}
],
"value": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0"
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T10:18:38.449Z",
"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"shortName": "TYPO3"
},
"references": [
{
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Direct Object Reference in extension \"powermail\" (powermail)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"assignerShortName": "TYPO3",
"cveId": "CVE-2025-7899",
"datePublished": "2025-07-22T10:18:38.449Z",
"dateReserved": "2025-07-19T12:40:12.631Z",
"dateUpdated": "2025-07-22T14:18:12.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}