CVE-2024-45233
📋 TL;DR
This vulnerability allows unauthenticated attackers to directly call actions in the OutputController of the powermail TYPO3 extension, bypassing access controls. Attackers can edit, update, delete, or export persisted form data when Powermail Frontend plugins are configured. Only TYPO3 installations using affected powermail extension versions are impacted.
💻 Affected Systems
- TYPO3 powermail extension
📦 What is this software?
Powermail by In2code
Powermail by In2code
Powermail by In2code
Powermail by In2code
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all form data managed by powermail, including sensitive user submissions, with potential data destruction or unauthorized data export.
Likely Case
Unauthorized modification or deletion of form submissions, potentially exposing sensitive user data collected through forms.
If Mitigated
No impact if powermail Frontend plugins are not used or if proper access controls are implemented.
🎯 Exploit Status
Direct action calls with no authentication required when Frontend plugins are configured.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.0, 8.5.0, 10.9.0, or 12.4.0 (depending on your major version)
Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2024-006
Restart Required: No
Instructions:
1. Identify your powermail major version. 2. Update to the corresponding fixed version: 7.x → 7.5.0, 8.x → 8.5.0, 10.x → 10.9.0, 12.x → 12.4.0. 3. Clear TYPO3 caches after update.
🔧 Temporary Workarounds
Disable Powermail Frontend plugins
allTemporarily disable all Powermail Frontend plugins in TYPO3 to prevent exploitation.
Edit TYPO3 page/content elements to disable powermail plugins
🧯 If You Can't Patch
- Implement web application firewall rules to block direct calls to OutputController actions
- Restrict access to TYPO3 frontend to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check powermail extension version in TYPO3 Extension Manager or composer.json. If version is below 7.5.0, 8.5.0, 10.9.0, or 12.4.0 (depending on major version), you are vulnerable.Check Version:
composer show intext/powermail (for Composer installs) or check TYPO3 Extension ManagerVerify Fix Applied:
Confirm powermail extension version matches one of the fixed versions and test that OutputController actions now require proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual direct calls to powermail OutputController actions from unauthenticated users
- Unexpected form data modifications or deletions
Network Indicators:
- HTTP requests to powermail controller endpoints without authentication
SIEM Query:
web_access_logs WHERE uri CONTAINS 'powermail' AND uri CONTAINS 'OutputController' AND user_agent NOT IN (trusted_user_agents)