VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 17, 2024· Updated Mar 17, 2025

CVE-2024-47047

CVE-2024-47047

Description

The powermail TYPO3 extension through 12.4.0 has an IDOR vulnerability in createAction, letting unauthenticated attackers view submitted form data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The powermail TYPO3 extension through 12.4.0 has an IDOR vulnerability in createAction, letting unauthenticated attackers view submitted form data.

The powermail TYPO3 extension through version 12.4.0 fails to validate the mail parameter of the createAction, resulting in an Insecure Direct Object Reference (IDOR) vulnerability [1][4]. This allows an unauthenticated attacker to access and display user-submitted data from all forms that have been saved by the extension, bypassing intended access controls [2][4].

Exploitation requires specific conditions: the extension must be configured to store submitted form data in the database (not just send via email), the powermail plugin setting 'Redirect to any other Page after submit' must not be set, and the 'Text on submit page' setting must contain the variable {powermail_all} or other variables that expose sensitive user-provided content [4]. An attacker can craft a request to the vulnerable createAction endpoint, manipulating the mail parameter to enumerate form submissions without authentication [2][4].

Successful exploitation enables an attacker to read personal or confidential data submitted through any saved powermail form, potentially including names, email addresses, messages, or other sensitive fields [1][4]. The CVSS v3.1 score of 5.3 (Medium) reflects the low complexity, no privileges required, and network vector, though the impact is limited to confidentiality of stored data [4].

Fixed versions 7.5.1, 8.5.1, 10.9.1, and 12.4.1 have been released via the TYPO3 extension manager, Packagist, and the TYPO3 extension repository [4]. Users are advised to upgrade immediately; no workaround is documented [1][4].

References
  1. NVD - CVE-2024-47047
  2. GitHub - in2code-de/powermail: This is the official repository of the TYPO3 extension powermail! Powermail is a well-known, editor-friendly, powerful and easy mailform extension for TYPO3
  3. Insecure Direct Object Reference in extension "powermail" (powermail)

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
in2code/powermailPackagist
< 7.5.17.5.1
in2code/powermailPackagist
>= 8.0.0, < 8.5.18.5.1
in2code/powermailPackagist
>= 9.0.0, < 10.9.110.9.1
in2code/powermailPackagist
>= 12.0.0, < 12.4.112.4.1

Affected products

1

Patches

4
095a17637b63

[SECURITY] Fix IDOR vulnaribility in createAction

https://github.com/in2code-de/powermailMarcus SchwemerSep 11, 2024via ghsa
commit
1 file changed · +3 0
  • Classes/Controller/FormController.php+3 0 modified
    @@ -103,6 +103,9 @@ public function initializeCreateAction()
      */
     public function createAction(Mail $mail, string $hash = '')
     {
+        if ($mail->getUid() !== null && !HashUtility::isHashValid($hash, $mail)) {
+            $this->forward('form');
+        }
         $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $hash, $this]);
         /** @noinspection PhpUnhandledExceptionInspection */
         $this->dataProcessorRunner->callDataProcessors(
bbadb8d7a71d

[SECURITY] Fix IDOR vulnaribility in createAction

https://github.com/in2code-de/powermailMarcus SchwemerSep 11, 2024via ghsa
commit
1 file changed · +3 0
  • Classes/Controller/FormController.php+3 0 modified
    @@ -185,6 +185,9 @@ public function initializeCreateAction(): void
      */
     public function createAction(Mail $mail, string $hash = ''): void
     {
+        if ($mail->getUid() !== null && !HashUtility::isHashValid($hash, $mail)) {
+            $this->forward('form');
+        }
         $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $hash, $this]);
         /** @noinspection PhpUnhandledExceptionInspection */
         $this->dataProcessorRunner->callDataProcessors(
91015da28911

[SECURITY] Fix IDOR vulnaribility in createAction

https://github.com/in2code-de/powermailMarcus SchwemerSep 11, 2024via ghsa
commit
1 file changed · +3 0
  • Classes/Controller/FormController.php+3 0 modified
    @@ -197,6 +197,9 @@ public function initializeCreateAction(): void
      */
     public function createAction(Mail $mail, string $hash = ''): ResponseInterface
     {
+        if ($mail->getUid() !== null && !HashUtility::isHashValid($hash, $mail)) {
+            return (new ForwardResponse('form'))->withoutArguments();
+        }
         $isSavingOfMailAllowed = false;
         $this->signalDispatch(__CLASS__, __FUNCTION__ . 'BeforeRenderView', [$mail, $hash, $this]);
         /** @noinspection PhpUnhandledExceptionInspection */
682194d71a5f

[SECURITY] Fix IDOR vulnerability in createAction

https://github.com/in2code-de/powermailMarcus SchwemerSep 11, 2024via ghsa
commit
1 file changed · +3 0
  • Classes/Controller/FormController.php+3 0 modified
    @@ -299,6 +299,9 @@ public function initializeCreateAction(): void
      */
     public function createAction(Mail $mail, string $hash = ''): ResponseInterface
     {
+        if ($mail->getUid() !== null && !HashUtility::isHashValid($hash, $mail)) {
+            return (new ForwardResponse('form'))->withoutArguments();
+        }
         $event = GeneralUtility::makeInstance(FormControllerCreateActionBeforeRenderViewEvent::class, $mail, $hash, $this);
         $this->eventDispatcher->dispatch($event);
         $mail = $event->getMail();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.