Improper Access Control
CVE-2024-45233
Summary
An issue was discovered in powermail extension versions through 7.4.4, 8.0.0 through 8.4.2, 9.0.0 through 10.8.2, and 11.0.0 through 12.3.5 for TYPO3. Several actions in the "OutputController" can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail Frontend plugins, an unauthenticated attacker can exploit this to edit, update, delete, or export data of persisted forms. This can only be exploited when the Powermail Frontend plugins are used.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-284 - Improper Access Control
Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.
Advisory Timeline
- Published
