Moderate severityNVD Advisory· Published May 13, 2020· Updated Aug 4, 2024

CVE-2020-12698

Description

The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 Direct Mail extension before 5.2.4 has broken access control allowing authenticated backend users to export subscriber data from tables they should not have access to.

Vulnerability

Overview CVE-2020-12698 is a broken access control vulnerability in the TYPO3 extension Direct Mail (direct_mail) versions up to and including 5.2.3. The extension fails to verify that an authenticated backend user has the proper permissions to access newsletter subscriber tables (such as tt_address or fe_users) when using the CSV export feature. This lack of authorization checks allows users to export data they should not be able to access [3].

Exploitation

Conditions Exploitation requires an authenticated backend user with access to the Direct Mail module. The attacker does not need any special privileges beyond being logged into the TYPO3 backend. The vulnerability is present in the CSV export function, which does not enforce access controls on subscriber tables [3].

Impact

A successful exploit allows an authenticated backend user to export sensitive subscriber information from tables they are not authorized to view. This can lead to disclosure of personal data, violating privacy policies and potentially exposing confidential information [3].

Mitigation

The vulnerability is fixed in Direct Mail version 5.2.4, which is available from the TYPO3 extension manager and the extension repository. Users are advised to update as soon as possible [3].

References

Multiple vulnerabilities in extension "Direct Mail" (direct_mail)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
directmailteam/direct-mailPackagist	< 5.2.4	5.2.4

Affected products

ghsa-coords
pkg:composer/directmailteam/direct-mail
Range: < 5.2.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9pm8-xcj6-2m33ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-12698ghsaADVISORY
typo3.org/help/security-advisoriesghsax_refsource_MISCWEB
typo3.org/security/advisory/typo3-ext-sa-2020-005ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000