CVE-2024-45232
Description
CVE-2024-45232: Powermail for TYPO3 fails to validate the mail parameter in confirmationAction, allowing unauthenticated IDOR to view all persisted form data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-45232: Powermail for TYPO3 fails to validate the mail parameter in confirmationAction, allowing unauthenticated IDOR to view all persisted form data.
Vulnerability
Description
CVE-2024-45232 is an Insecure Direct Object Reference (IDOR) vulnerability in the powermail extension (versions through 12.3.5) for TYPO3. The confirmationAction does not validate the mail parameter, enabling an unauthenticated attacker to access and view user-submitted data from all forms that the extension has persisted to the database. This exploitation is possible only when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which is the default setting [1][3].
Attack
Vector
An attacker can exploit this by sending a crafted request to the confirmationAction endpoint with a manipulated mail parameter. No authentication is required, and the attack can be performed over the network without any user interaction. The vulnerability exists in all affected versions, and the prerequisite is that the extension's database storage feature remains enabled [1][3].
Impact
Successful exploitation allows an unauthenticated attacker to read the unencrypted form submissions of all forms stored by powermail. This can expose sensitive personal data collected from website visitors, leading to privacy breaches and potential legal liabilities for the site owner. The CVSS v3.1 base score is 6.5 (Medium), with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating low but measurable impacts on confidentiality, integrity, and availability [1][3].
Mitigation
The vulnerability is remediated in powermail versions 7.5.0, 8.5.0, 10.9.0, and 12.4.0. Administrators are advised to upgrade their installations to one of the fixed versions immediately. As a workaround, disabling database storage (plugin.tx_powermail.settings.db.enable=0) prevents exploitation, though this may affect functionality [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
in2code/powermailPackagist | >= 11.0.0, < 12.4.0 | 12.4.0 |
in2code/powermailPackagist | >= 9.0.0, < 10.9.0 | 10.9.0 |
in2code/powermailPackagist | >= 8.0.0, < 8.5.0 | 8.5.0 |
in2code/powermailPackagist | < 7.5.0 | 7.5.0 |
Affected products
2- TYPO3/powermaildescription
Patches
4f58d70311799[SECURITY] Prevent information disclosure in confirmation action
1 file changed · +4 −0
Classes/Controller/FormController.php+4 −0 modified@@ -173,6 +173,10 @@ public function initializeConfirmationAction(): void */ public function confirmationAction(Mail $mail): ResponseInterface { + if ($mail->getUid() !== null) { + return (new ForwardResponse('form'))->withoutArguments(); + } + $event = GeneralUtility::makeInstance(FormControllerConfirmationActionEvent::class, $mail, $this); $this->eventDispatcher->dispatch($event); $mail = $event->getMail();
ac402d4972c7[SECURITY] Prevent possible information disclosure in confirmation action
1 file changed · +3 −0
Classes/Controller/FormController.php+3 −0 modified@@ -133,6 +133,9 @@ public function initializeConfirmationAction(): void */ public function confirmationAction(Mail $mail): ResponseInterface { + if ($mail->getUid() !== null) { + return (new ForwardResponse('form'))->withoutArguments(); + } $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $this]); /** @noinspection PhpUnhandledExceptionInspection */ $this->dataProcessorRunner->callDataProcessors(
e2ddfaa06d29[SECURITY] Prevent information disclosure of records
1 file changed · +3 −0
Classes/Controller/FormController.php+3 −0 modified@@ -182,6 +182,9 @@ public function initializeConfirmationAction() */ public function confirmationAction(Mail $mail) { + if ($mail->getUid() !== null) { + $this->forward('form'); + } $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $this]); /** @noinspection PhpUnhandledExceptionInspection */ $this->dataProcessorRunner->callDataProcessors(
061756732357[SECURITY] Prevent information disclosure of records
1 file changed · +3 −0
Classes/Controller/FormController.php+3 −0 modified@@ -123,6 +123,9 @@ public function initializeConfirmationAction(): void */ public function confirmationAction(Mail $mail): void { + if ($mail->getUid() !== null) { + $this->forward('form'); + } $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $this]); /** @noinspection PhpUnhandledExceptionInspection */ $this->dataProcessorRunner->callDataProcessors(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-p652-xcgx-f85mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45232ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/in2code/powermail/CVE-2024-45232.yamlghsaWEB
- github.com/in2code-de/powermail/commit/061756732357206f2f13bf39a0676dd266ec9586ghsaWEB
- github.com/in2code-de/powermail/commit/ac402d4972c77dd119c8db6ffe594c15e8ae0bc5ghsaWEB
- github.com/in2code-de/powermail/commit/e2ddfaa06d29019d60be02b5a3da04b237ed760bghsaWEB
- github.com/in2code-de/powermail/commit/f58d70311799ae5f6acbec52ea9206d21eba91bbghsaWEB
- typo3.org/security/advisory/typo3-ext-sa-2024-006ghsaWEB
News mentions
0No linked articles in our index yet.