CVE-2020-12700
Description
The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The TYPO3 direct_mail extension fails to verify backend user access to newsletter subscriber pages, enabling information disclosure via the Special Query feature and CSV export.
Description
The direct_mail extension for TYPO3 prior to version 5.2.4 contains an information disclosure vulnerability (CVE-2020-12700). The extension fails to check if an authenticated backend user has the necessary permissions to access pages containing newsletter subscriber data when using the 'Special Query' feature [3]. This missing access control check allows users to bypass intended restrictions.
Exploitation
An authenticated backend user can leverage the Special Query functionality to retrieve subscriber data from pages they do not have access to. The extension does not validate whether the user is authorized to view the underlying page records, thus allowing unauthorized querying. The data can then be exported via the CSV export function, making the information easily accessible [3].
Impact
Successful exploitation leads to the disclosure of newsletter subscriber information, which may include personal data such as names, email addresses, and other details stored in subscriber tables (e.g., tt_address, fe_users). This compromises the confidentiality of sensitive data and may violate privacy regulations [3].
Mitigation
The vulnerability is fixed in version 5.2.4 of the direct_mail extension. Users are advised to update to this version as soon as possible via the TYPO3 extension manager or by downloading the update from the TYPO3 extension repository [3]. No other workarounds have been provided.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directmailteam/direct-mailPackagist | < 5.2.4 | 5.2.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qwmj-72mp-q3m2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-12700ghsaADVISORY
- typo3.org/help/security-advisoriesghsax_refsource_MISCWEB
- typo3.org/security/advisory/typo3-ext-sa-2020-005ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.