CVE-2024-47047
📋 TL;DR
This vulnerability allows unauthenticated attackers to access all user-submitted form data stored by the powermail extension in TYPO3. It affects TYPO3 installations using vulnerable versions of the powermail extension (through 12.4.0). Attackers can exploit an Insecure Direct Object Reference (IDOR) flaw to bypass intended access controls.
💻 Affected Systems
- TYPO3 powermail extension
📦 What is this software?
Powermail by In2code
Powermail by In2code
Powermail by In2code
Powermail by In2code
⚠️ Risk & Real-World Impact
Worst Case
All form submissions containing sensitive personal data, credentials, or confidential information are exposed to unauthorized parties, potentially leading to data breaches, privacy violations, and regulatory penalties.
Likely Case
Exposure of user-submitted form data including names, email addresses, messages, and other form field contents, enabling data harvesting and potential follow-on attacks.
If Mitigated
Limited or no data exposure if proper access controls, network segmentation, and input validation are implemented alongside the vulnerable extension.
🎯 Exploit Status
The vulnerability requires no authentication and involves manipulating the mail parameter, making exploitation straightforward for attackers who discover vulnerable instances.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.1, 8.5.1, 10.9.1, or 12.4.1 depending on your powermail version
Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2024-007
Restart Required: No
Instructions:
1. Identify your current powermail extension version. 2. Update to the corresponding patched version (7.5.1, 8.5.1, 10.9.1, or 12.4.1). 3. Clear TYPO3 caches. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict access to createAction
allImplement access controls or disable the vulnerable createAction endpoint if not required.
Configure TYPO3 or web server (e.g., Apache .htaccess, Nginx location block) to restrict access to the affected endpoint.
Input validation middleware
allAdd custom TYPO3 middleware to validate the mail parameter before processing.
Implement and register a custom middleware in TYPO3 that validates the mail parameter against expected patterns.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the TYPO3 instance.
- Monitor logs for unusual access patterns to form submission endpoints and set up alerts.
🔍 How to Verify
Check if Vulnerable:
Check your powermail extension version in TYPO3 Extension Manager or composer.json. If version is 12.4.0 or lower (and not one of the fixed versions), you are vulnerable.Check Version:
In TYPO3 backend: Extension Manager -> Installed Extensions -> powermail, or check composer.json for 'powermail/powermail' version.Verify Fix Applied:
Confirm powermail extension version is updated to 7.5.1, 8.5.1, 10.9.1, or 12.4.1 in TYPO3 Extension Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to createAction endpoints with manipulated mail parameters
- High volume of requests to form submission URLs from single IPs
Network Indicators:
- Traffic patterns showing enumeration of mail parameter values
- Requests bypassing normal form submission workflows
SIEM Query:
web_access_logs | where url contains 'createAction' and mail_parameter matches irregular pattern