Security vulnerabilities discovered in TYPO3 extension "Powermail": Update urgently required
Have the article read aloud.
Several security vulnerabilities have recently been identified in the popular TYPO3 extension "Powermail" that could jeopardize the security of your website.
Specifically, these are vulnerabilities in the areas of Insecure Direct Object Reference (IDOR) and Broken Access Control. These vulnerabilities allow an attacker to access and manipulate sensitive user data without authentication.
The vulnerability affects all versions of the "Powermail" extension up to version 7.4.3, as well as versions 8.0.0 to 8.4.2, 9.0.0 to 10.8.2 and 12.0.0 to 12.3.5. The attacker can access stored form data through the insecure processing of the "mail" parameter in the "confirmationAction" if the default setting to store the form data in the database is activated. This means that sensitive user data collected via forms could be at risk.
In addition, several actions in the extension's "OutputController" can be called directly due to insufficient access controls. This could allow an attacker to edit, update, delete or export form data if certain plugins of the "Powermail Frontend" extension are active.
Updated versions of the "Powermail" extension have been released to address these vulnerabilities. It is strongly recommended to update the extension to the latest versions.
It is important to note that the "Export" and "RSS" functions of the "Powermail Frontend" plugin have been removed in the new versions. These functions will be removed without replacement to further improve the security of the extension.
Keep your TYPO3 installation secure and update "Powermail" to one of the new versions immediately.
Back![[Translate to English:] Wolfgang Wagner, TYPO3 Experte und Trainer](/fileadmin/_processed_/3/3/csm_DSCF2343_1600x900_9655ab17bc.jpg)
![[Translate to English:] TYPO3 Certified Integrator](/fileadmin/_processed_/7/f/csm_TYPO3_ConsultantPartner_badge_h150_6a50736518.png){kind=icon}
![[Translate to English:] TYPO3 Certified Integrator](/fileadmin/_processed_/4/e/csm_TCCI_orange_h150_a05881febc.png)
Who writes here?
Hi, I am Wolfgang.
Since 2006, I've been diving deep into the fascinating world of TYPO3 - it's not only my profession, but also my passion. My path has taken me through countless projects, and I have created hundreds of professional video tutorials focusing on TYPO3 and its extensions. I love unraveling complex topics and turning them into easy-to-understand concepts, which is also reflected in my trainings and seminars.
As an active member of the TYPO3 Education Committee, I am committed to keeping the TYPO3 CMS Certified Integrator exam questions current and challenging. Since January 2024, I am proud to be an official TYPO3 Consultant Partner!
But my passion doesn't end at the screen. When I'm not diving into the depths of TYPO3, you'll often find me on my bike, exploring the picturesque trails around Lake Constance. These outdoor excursions are my perfect balance - they keep my mind fresh and always provide me with new ideas.
Der TYPO3 Newsletter
TYPO3-Insights direkt in dein Postfach!
Hol dir monatliche Updates, praktische Tipps und spannende Fallstudien.
Übersichtlich, zeitsparend, ohne Spam.
Bist du dabei? Jetzt für den Newsletter anmelden!