CVE-2025-7899 | THREATINT

Description

The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0

PUBLISHED Reserved 2025-07-19 | Published 2025-07-22 | Updated 2025-07-22 | Assigner TYPO3

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

12.0.0 (semver)

affected

13.0.0 (semver)

affected

Credits

Riny van Tiggelen reporter

References

typo3.org/security/advisory/typo3-ext-sa-2025-009

cve.org (CVE-2025-7899)

nvd.nist.gov (CVE-2025-7899)

Download JSON