CVE-2024-45233
First published: Wed Aug 28 2024(Updated: )
An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail Frontend plugins, an unauthenticated attacker can exploit this to edit, update, delete, or export data of persisted forms. This can only be exploited when the Powermail Frontend plugins are used. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/in2code/powermail | >=11.0.0<12.4.0 | 12.4.0 |
| composer/in2code/powermail | >=9.0.0<10.9.0 | 10.9.0 |
| composer/in2code/powermail | >=8.0.0<8.5.0 | 8.5.0 |
| composer/in2code/powermail | <7.5.0 | 7.5.0 |
| In2code Powermail | <7.5.0 | |
| In2code Powermail | >=8.0.0<8.5.0 | |
| In2code Powermail | >=9.0.0<10.9.0 | |
| In2code Powermail | >=12.0.0<12.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://typo3.org/security/advisory/typo3-ext-sa-2024-006
- https://nvd.nist.gov/vuln/detail/CVE-2024-45233
- https://github.com/in2code-de/powermail/commit/04a010c4009202e8e1b4c72accd4d7b2771b80b3
- https://github.com/in2code-de/powermail/commit/2c8a1bf7669eb0661e8a93164f57e4b653ac3408
- https://github.com/in2code-de/powermail/commit/6e94ec5e0c7b553c467b826df1b922db6c2ad08e
- https://github.com/in2code-de/powermail/commit/f56f8eefe151ad67cbd32c21f1106953b8e4f19f
- https://github.com/advisories/GHSA-9jqr-5x45-pgw8 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-45233?
CVE-2024-45233 has a critical severity level due to insufficient access control in the Powermail extension for TYPO3.
How do I fix CVE-2024-45233?
To fix CVE-2024-45233, update the Powermail extension to version 12.4.0 or later, or to version 10.9.0 or 8.5.0 as applicable.
Which versions are affected by CVE-2024-45233?
CVE-2024-45233 affects Powermail versions between 7.0.0 and 12.3.5 inclusive.
What type of vulnerability is CVE-2024-45233?
CVE-2024-45233 is classified as a Broken Access Control vulnerability.
Is user data at risk due to CVE-2024-45233?
Yes, due to the flawed access checks, user data may be exposed to unauthorized actions.
- agent/type
- agent/first-publish-date
- agent/description
- agent/references
- agent/author
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9jqr-5x45-pgw8
- alias/CVE-2024-45233
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- agent/event
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- package-manager/composer
- vendor/in2code
- canonical/in2code powermail
- version/in2code powermail/8.0.0
- version/in2code powermail/9.0.0
- version/in2code powermail/12.0.0