Search criteria
2 vulnerabilities found for Extension "powermail" by TYPO3
CVE-2025-7899 (GCVE-0-2025-7899)
Vulnerability from cvelistv5 – Published: 2025-07-22 10:18 – Updated: 2025-07-22 14:18
VLAI?
Summary
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TYPO3 | Extension "powermail" |
Affected:
12.0.0 , ≤ 12.5.2
(semver)
Affected: 13.0.0 (semver) |
Credits
Riny van Tiggelen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T14:17:27.489175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T14:18:12.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org/",
"defaultStatus": "unaffected",
"packageName": "in2code/powermail",
"product": "Extension \"powermail\"",
"repo": "https://github.com/in2code-de/powermail",
"vendor": "TYPO3",
"versions": [
{
"lessThanOrEqual": "12.5.2",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Riny van Tiggelen"
}
],
"datePublic": "2025-07-22T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003earbitrary\u003c/span\u003e\u0026nbsp;files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0\u003c/div\u003e"
}
],
"value": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0"
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T10:18:38.449Z",
"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"shortName": "TYPO3"
},
"references": [
{
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Direct Object Reference in extension \"powermail\" (powermail)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"assignerShortName": "TYPO3",
"cveId": "CVE-2025-7899",
"datePublished": "2025-07-22T10:18:38.449Z",
"dateReserved": "2025-07-19T12:40:12.631Z",
"dateUpdated": "2025-07-22T14:18:12.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7899 (GCVE-0-2025-7899)
Vulnerability from nvd – Published: 2025-07-22 10:18 – Updated: 2025-07-22 14:18
VLAI?
Summary
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| TYPO3 | Extension "powermail" |
Affected:
12.0.0 , ≤ 12.5.2
(semver)
Affected: 13.0.0 (semver) |
Credits
Riny van Tiggelen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T14:17:27.489175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T14:18:12.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org/",
"defaultStatus": "unaffected",
"packageName": "in2code/powermail",
"product": "Extension \"powermail\"",
"repo": "https://github.com/in2code-de/powermail",
"vendor": "TYPO3",
"versions": [
{
"lessThanOrEqual": "12.5.2",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "13.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Riny van Tiggelen"
}
],
"datePublic": "2025-07-22T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003earbitrary\u003c/span\u003e\u0026nbsp;files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0\u003c/div\u003e"
}
],
"value": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0"
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T10:18:38.449Z",
"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"shortName": "TYPO3"
},
"references": [
{
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Direct Object Reference in extension \"powermail\" (powermail)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"assignerShortName": "TYPO3",
"cveId": "CVE-2025-7899",
"datePublished": "2025-07-22T10:18:38.449Z",
"dateReserved": "2025-07-19T12:40:12.631Z",
"dateUpdated": "2025-07-22T14:18:12.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}