Primary

Context

TYPO3 Powermail Extension Insecure Direct Object Reference Vulnerability

Vulnerability

Patched

A vulnerability in the Powermail extension for TYPO3 allows for Insecure Direct Object Reference (IDOR), enabling authenticated users with access to the backend module to download arbitrary files from the web server. This issue affects Powermail versions 12.0.0 prior to 12.5.2 and 13.0.0. The vulnerability arises because the extension does not properly validate the 'file' query parameter in the 'downloadFile' function of the backend module. Exploitation requires at least one Powermail email record containing an uploaded file to be available in the backend.

Impact

Exploitation of this vulnerability could lead to unauthorized access and download of sensitive files from the web server.

Remediation

Users are advised to update to Powermail versions 12.5.3 or 13.0.1, available through the TYPO3 Extension Manager, Packagist, or directly from the TYPO3 Extension Repository.

Added: Jul 22, 2025, 11:18 AM

Updated: Jul 22, 2025, 1:15 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.0

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.0

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TYPO3 Powermail Extension Insecure Direct Object Reference Vulnerability

Vulnerability

Impact

Remediation

Affected Products

TYPO3 powermail

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating