CVE-2024-47047
First published: Tue Sep 17 2024(Updated: )
An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitted data of all forms persisted by the extension. The fixed versions are 7.5.1, 8.5.1, 10.9.1, and 12.4.1.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| In2code Powermail | <=7.5.0 | |
| In2code Powermail | >=8.0.0<=8.5.0 | |
| In2code Powermail | >=9.0.0<=10.9.0 | |
| In2code Powermail | >=12.0.0<=12.4.0 | |
| composer/in2code/powermail | >=12.0.0<12.4.1 | 12.4.1 |
| composer/in2code/powermail | >=9.0.0<10.9.1 | 10.9.1 |
| composer/in2code/powermail | >=8.0.0<8.5.1 | 8.5.1 |
| composer/in2code/powermail | <7.5.1 | 7.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://typo3.org/security/advisory/typo3-ext-sa-2024-007
- https://nvd.nist.gov/vuln/detail/CVE-2024-47047
- https://github.com/in2code-de/powermail/commit/095a17637b6370aefd5390663cc11af47210f575
- https://github.com/in2code-de/powermail/commit/682194d71a5f67fa39d899a9625ba69bb62f9bd8
- https://github.com/in2code-de/powermail/commit/91015da289111b86b8dbcb2553d5a722b944231e
- https://github.com/in2code-de/powermail/commit/bbadb8d7a71ddb469d07d106551938c91465b811
- https://github.com/advisories/GHSA-q25c-r482-77p9 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-47047.yaml
Frequently Asked Questions
What is the severity of CVE-2024-47047?
CVE-2024-47047 has a high severity due to potential exposure of user-submitted data.
How do I fix CVE-2024-47047?
To remediate CVE-2024-47047, upgrade the In2code Powermail extension to versions 12.4.1, 10.9.1, 8.5.1, or 7.5.1.
Who is affected by CVE-2024-47047?
CVE-2024-47047 affects all users of In2code Powermail versions up to and including 12.4.0.
What kind of attack does CVE-2024-47047 allow?
CVE-2024-47047 permits an unauthenticated attacker to exploit Insecure Direct Object Reference (IDOR) vulnerabilities.
What is the primary issue in CVE-2024-47047?
The primary issue in CVE-2024-47047 is the failure to validate the mail parameter of the createAction.
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/references
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q25c-r482-77p9
- alias/CVE-2024-47047
- agent/last-modified-date
- collector/nvd-cve
- agent/event
- collector/github-advisory
- agent/softwarecombine
- agent/trending
- agent/tags
- agent/source
- vendor/in2code
- canonical/in2code powermail
- version/in2code powermail/7.5.0
- version/in2code powermail/8.0.0
- version/in2code powermail/8.5.0
- version/in2code powermail/9.0.0
- version/in2code powermail/10.9.0
- version/in2code powermail/12.0.0
- version/in2code powermail/12.4.0
- package-manager/composer