CVE-2020-12697

Vulnerability

Overview

The Direct Mail extension for TYPO3 (versions 5.2.3 and below) contains a vulnerability identified as CVE-2020-12697, which enables a denial of service (DoS) condition. The issue resides in the click tracking functionality used to log clicks on links within sent newsletters. The extension does not limit the number of log entries that can be generated per link, allowing an attacker to repeatedly trigger log recording without any rate limiting or access control [1][3].

Exploitation

Prerequisites

The vulnerability can be exploited remotely by an unauthenticated attacker who has access to a valid newsletter link that includes click tracking parameters. Because the logging mechanism accepts requests without authentication or validation of the request frequency, an attacker can simply send a large number of requests to the same tracked URL to rapidly populate the log table with records [1][2][3].

Impact

By filling the log table with a massive volume of entries, an attacker can exhaust database storage or degrade database performance, leading to a denial of service condition for the TYPO3 instance. This impacts the availability of the CMS and any services relying on the affected database. The advisory rates the severity as High, with a CVSS v3.1 score that reflects a low impact on confidentiality but a high impact on availability [3].

Mitigation

The TYPO3 security team released version 5.2.4 of Direct Mail on May 12, 2020, which addresses this vulnerability. Users are strongly advised to update to this version or later via the TYPO3 extension manager or direct download [3]. For those unable to upgrade immediately, disabling the click tracking feature may serve as a temporary workaround, though the official patch is the recommended course of action.