Medium severityGHSA Advisory· Published Jul 22, 2025· Updated Apr 15, 2026
CVE-2025-7899
CVE-2025-7899
Description
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
in2code/powermailPackagist | >= 12.0.0, < 12.5.3 | 12.5.3 |
in2code/powermailPackagist | >= 13.0.0, < 13.0.1 | 13.0.1 |
Affected products
1- Range: = 13.0.0
Patches
1b39e129c5e2a[SECURITY] Add hmac validation to file downloads in be module
4 files changed · +48 −4
Classes/Controller/ModuleController.php+8 −2 modified@@ -353,10 +353,10 @@ protected function checkAdminPermissions(): ?ResponseInterface public function downloadFile(ServerRequestInterface $request): ?ResponseInterface { $queryParams = $request->getQueryParams(); - if (array_key_exists('file', $queryParams)) { + if (array_key_exists('file', $queryParams) && array_key_exists('hmac', $queryParams)) { $fileName = basename($queryParams['file']); $absoluteFileName = GeneralUtility::getFileAbsFileName($queryParams['file']); - if (is_file($absoluteFileName)) { + if (is_file($absoluteFileName) && $this->isValidHmac($absoluteFileName, $queryParams['hmac'])) { (mime_content_type($absoluteFileName) === false) ? $mimeType = '' : $mimeType = mime_content_type($absoluteFileName); return $this->responseFactory->createResponse() ->withHeader('Content-Type', $mimeType) @@ -367,4 +367,10 @@ public function downloadFile(ServerRequestInterface $request): ?ResponseInterfac return new ForwardResponse('list'); } + + protected function isValidHmac(string $fileName, string $hmacFromQuery): bool + { + $hmacGenerated = BasicFileUtility::getHmacForFile($fileName); + return hash_equals($hmacGenerated, $hmacFromQuery); + } }
Classes/Utility/BasicFileUtility.php+5 −0 modified@@ -81,4 +81,9 @@ public static function getRelativeFolder(string $path): string return $path; } + + public static function getHmacForFile(string $file): string + { + return GeneralUtility::hmac($file, '_powermail'); + } }
Classes/ViewHelpers/Misc/GetHmacForFileViewHelper.php+34 −0 added@@ -0,0 +1,34 @@ +<?php + +declare(strict_types=1); + +namespace In2code\Powermail\ViewHelpers\Misc; + +use In2code\Powermail\Utility\BasicFileUtility; +use TYPO3\CMS\Core\Utility\GeneralUtility; +use TYPO3Fluid\Fluid\Core\ViewHelper\AbstractTagBasedViewHelper; + +/** + * Get Upload Path ViewHelper + */ +class GetHmacForFileViewHelper extends AbstractTagBasedViewHelper +{ + protected string $uploadPathFallback = 'uploads/tx_powermail/'; + + public function initializeArguments(): void + { + parent::initializeArguments(); + $this->registerArgument('fileName', 'string', 'Filename like "picture.jpg"', true); + $this->registerArgument('path', 'string', 'Path like "fileadmin/powermail/uploads/"', true); + } + + public function render(): string + { + $fileName = $this->arguments['fileName'] ?? ''; + $path = $this->arguments['path'] ?? $this->uploadPathFallback; + + $absFileName = GeneralUtility::getFileAbsFileName($path . $fileName); + + return BasicFileUtility::getHmacForFile($absFileName); + } +}
Resources/Private/Partials/Module/List.html+1 −2 modified@@ -221,8 +221,7 @@ </f:else> </f:if> </a> - - <a href="{be:moduleLink(route:'powermail_downloadfile', arguments:'{file: \'{settings.uploadPath}{subValue}\'}')}" download> + <a href="{be:moduleLink(route:'powermail_downloadfile', arguments:'{file: \'{settings.uploadPath}{subValue}\', hmac: \'{vh:misc.getHmacForFile(fileName:subValue, path:settings.uploadPath)}\'}')}" download> Download </a> </div>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.