Security vulnerabilities discovered in TYPO3 extension "Powermail": Update urgently required
Have the article read aloud.
Several security vulnerabilities have recently been identified in the popular TYPO3 extension "Powermail" that could jeopardize the security of your website.
Specifically, these are vulnerabilities in the areas of Insecure Direct Object Reference (IDOR) and Broken Access Control. These vulnerabilities allow an attacker to access and manipulate sensitive user data without authentication.
The vulnerability affects all versions of the "Powermail" extension up to version 7.4.3, as well as versions 8.0.0 to 8.4.2, 9.0.0 to 10.8.2 and 12.0.0 to 12.3.5. The attacker can access stored form data through the insecure processing of the "mail" parameter in the "confirmationAction" if the default setting to store the form data in the database is activated. This means that sensitive user data collected via forms could be at risk.
In addition, several actions in the extension's "OutputController" can be called directly due to insufficient access controls. This could allow an attacker to edit, update, delete or export form data if certain plugins of the "Powermail Frontend" extension are active.
Updated versions of the "Powermail" extension have been released to address these vulnerabilities. It is strongly recommended to update the extension to the latest versions.
It is important to note that the "Export" and "RSS" functions of the "Powermail Frontend" plugin have been removed in the new versions. These functions will be removed without replacement to further improve the security of the extension.
Keep your TYPO3 installation secure and update "Powermail" to one of the new versions immediately.
BackComments under articles are disabled. If you have a question or addition, please send me an e-mail.
![[Translate to English:] Wolfgang Wagner, TYPO3 Experte und Trainer](/fileadmin/_processed_/3/3/csm_DSCF2343_1600x900_9655ab17bc.jpg)
Hi, I'm Wolfgang.
I have been working with TYPO3 since 2006. Not in theory, but in real projects with real deadlines. I've probably had the problems you're having three times already.
At some point, I started putting my knowledge into video courses. Not because I like being in front of the camera, but because I kept hearing the same questions over and over again. There are now hundreds of videos. Every single one was the result of a specific question from a specific project.
What makes me different from a YouTube tutorial: I not only know the solution, but also the context. Why something works. When it doesn't work. And which mistakes you can avoid because I've already made them.
As a member of the TYPO3 Education Committee, I make sure that the certification exams are kept up to date. What is tested there flows directly into my courses.