Packagist (Composer) package
directmailteam/direct-mail
pkg:composer/directmailteam/direct-mail
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-50461 | hig | — | >= 8.0.0, < 9.5.2 | 9.5.2 | Dec 13, 2023 | The “Configuration” backend module of the extension allows an authenticated user to write arbitrary page TSConfig for folders configured as “Direct Mail”. Exploiting the vulnerability may lead to Configuration Injection (TYPO3 10.4 and above) and to Arbitrary Code Execution (TYPO | |
| CVE-2020-12700 | — | < 5.2.4 | 5.2.4 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query. | ||
| CVE-2020-12699 | — | < 5.2.4 | 5.2.4 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 has an Open Redirect via jumpUrl. | ||
| CVE-2020-12698 | — | < 5.2.4 | 5.2.4 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables. | ||
| CVE-2020-12697 | — | < 5.2.4 | 5.2.4 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries. | ||
| CVE-2019-16698 | — | < 5.2.3 | 5.2.3 | Oct 16, 2019 | The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter. | ||
| CVE-2013-7400 | Hig | 7.5 | < 3.1.2 | 3.1.2 | Dec 29, 2017 | The Direct Mail (direct_mail) extension before 3.1.2 for TYPO3 allows remote attackers to obtain sensitive information by leveraging improper checking of authentication codes. | |
| CVE-2009-4159 | — | < 2.6.5 | 2.6.5 | Dec 2, 2009 | Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
- affected >= 8.0.0, < 9.5.2fixed 9.5.2
The “Configuration” backend module of the extension allows an authenticated user to write arbitrary page TSConfig for folders configured as “Direct Mail”. Exploiting the vulnerability may lead to Configuration Injection (TYPO3 10.4 and above) and to Arbitrary Code Execution (TYPO
- CVE-2020-12700May 13, 2020affected < 5.2.4fixed 5.2.4
The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query.
- CVE-2020-12699May 13, 2020affected < 5.2.4fixed 5.2.4
The direct_mail extension through 5.2.3 for TYPO3 has an Open Redirect via jumpUrl.
- CVE-2020-12698May 13, 2020affected < 5.2.4fixed 5.2.4
The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables.
- CVE-2020-12697May 13, 2020affected < 5.2.4fixed 5.2.4
The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries.
- CVE-2019-16698Oct 16, 2019affected < 5.2.3fixed 5.2.3
The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter.
- affected < 3.1.2fixed 3.1.2
The Direct Mail (direct_mail) extension before 3.1.2 for TYPO3 allows remote attackers to obtain sensitive information by leveraging improper checking of authentication codes.
- CVE-2009-4159Dec 2, 2009affected < 2.6.5fixed 2.6.5
Cross-site scripting (XSS) vulnerability in the newsletter configuration feature in the backend module in the Direct Mail (direct_mail) extension 2.6.4 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.