VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 16, 2019· Updated Aug 5, 2024

CVE-2019-16698

CVE-2019-16698

Description

The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 Direct Mail extension ≤5.2.2 has a missing access check, allowing restricted users to view and export frontend user newsletter data.

The Direct Mail extension for TYPO3 CMS (versions up to and including 5.2.2) contains a missing access check vulnerability in its backend module. This flaw allows a backend user who has restricted permissions on the fe_users table to view and export data of frontend users subscribed to a newsletter, bypassing intended access restrictions [1].

The root cause stems from inadequate permission verification when rendering the recipient list. The commit that fixes the issue adds checks using $GLOBALS['BE_USER']->check('tables_select', $table) and $GLOBALS['BE_USER']->check('tables_modify', $table) to verify that the backend user has the necessary rights to view or edit the table data. Without these checks, any backend user with access to the Direct Mail module could see email addresses and names of newsletter subscribers [2].

An attacker exploiting this vulnerability gains unauthorized access to sensitive information, such as email addresses and names of frontend users. The CVSS v3.0 score for this issue is 4.3 (Medium), with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:X, indicating low complexity and low privileges required [4].

The vulnerability is fixed in version 5.2.3, which is available from the TYPO3 extension manager and the TYPO3 Extension Repository. Users are strongly advised to update the extension as soon as possible to mitigate the risk [4].

References
  1. NVD - CVE-2019-16698
  2. Security fix release · TYPO3-directmail/direct_mail@3a70924
  3. Information Disclosure in extension "Direct Mail" (direct_mail)

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
directmailteam/direct-mailPackagist
< 5.2.35.2.3

Affected products

3

Patches

1
3a7092477729

Security fix release

https://github.com/kartolo/direct_mailIvan KartoloOct 15, 2019via ghsa
commit
3 files changed · +17 4
  • Classes/DirectMailUtility.php+13 3 modified
    @@ -819,6 +819,10 @@ public static function getRecordList(array $listArr, $table, $pageId, $editLinkF
         // init iconFactory
         $iconFactory = GeneralUtility::makeInstance(IconFactory::class);
 
+        $isAllowedDisplayTable = $GLOBALS['BE_USER']->check('tables_select', $table);
+        $isAllowedEditTable = $GLOBALS['BE_USER']->check('tables_modify', $table);
+        $notAllowedPlaceholder = $GLOBALS['LANG']->getLL('mailgroup_table_disallowed_placeholder');
+
         if (is_array($listArr)) {
             $count = count($listArr);
             $returnUrl = GeneralUtility::getIndpEnv('REQUEST_URI');
@@ -827,7 +831,7 @@ public static function getRecordList(array $listArr, $table, $pageId, $editLinkF
                 $editLink = '';
                 if ($row['uid']) {
                     $tableIcon = '<td>' . $iconFactory->getIconForRecord($table, array()) . '</td>';
-                    if ($editLinkFlag) {
+                    if ($editLinkFlag && $isAllowedEditTable) {
                         $urlParameters = [
                             'edit' => [
                                 $table => [
@@ -842,11 +846,17 @@ public static function getRecordList(array $listArr, $table, $pageId, $editLinkF
                     }
                 }
 
+                if ($isAllowedDisplayTable) {
+                    $exampleData = '<td nowrap> ' . htmlspecialchars($row['email']) . ' </td>
+				<td nowrap> ' . htmlspecialchars($row['name']) . ' </td>';
+                } else {
+                    $exampleData = '<td nowrap>' . $notAllowedPlaceholder . '</td>';
+                }
+
                 $lines[]='<tr class="db_list_normal">
 				' . $tableIcon . '
 				' . $editLink . '
-				<td nowrap> ' . htmlspecialchars($row['email']) . ' </td>
-				<td nowrap> ' . htmlspecialchars($row['name']) . ' </td>
+				' . $exampleData . '
 				</tr>';
             }
         }
  • ext_emconf.php+1 1 modified
    @@ -15,7 +15,7 @@
     'description' => 'Advanced Direct Mail/Newsletter mailer system with sophisticated options for personalization of emails including response statistics.',
     'category' => 'module',
     'shy' => 0,
-    'version' => '5.2.2',
+    'version' => '5.2.3',
     'dependencies' => 'cms,tt_address',
     'conflicts' => 'sr_direct_mail_ext,it_dmail_fix,plugin_mgm,direct_mail_123',
     'priority' => '',
  • Resources/Private/Language/locallang_mod2-6.xlf+3 0 modified
    @@ -592,6 +592,9 @@
 			<trans-unit id="mailgroup_table_fe_users">
 				<source>Website User Table</source>
 			</trans-unit>
+			<trans-unit id="mailgroup_table_disallowed_placeholder">
+				<source>Missing permission to display data</source>
+			</trans-unit>
 			<trans-unit id="nl_cat">
 				<source>Assign categories to content elements</source>
 			</trans-unit>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.