CVE-2025-7899

The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0

CVSS

No CVSS.

References

Link	Resource
https://typo3.org/security/advisory/typo3-ext-sa-2025-009

Configurations

No configuration.

History

No history.

Information

Published : 2025-07-22 11:15

Updated : 2025-07-22 13:05

NVD link : CVE-2025-7899

Mitre link : CVE-2025-7899

CVE.ORG link : CVE-2025-7899

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-7899", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-22T11:15:24.157", "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-009", "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of\u00a0arbitrary\u00a0files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0"}, {"lang": "es", "value": "La extensi\u00f3n Powermail para TYPO3 permite una Referencia Directa a Objetos Insegura, lo que resulta en la descarga de archivos arbitrarios del servidor web. Este problema afecta a las versiones 12.0.0 a 12.5.2 y 13.0.0 de Powermail."}], "lastModified": "2025-07-22T13:05:40.573", "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a"}

CVE-2025-7899

JSON object

Attach tags to CVE-2025-7899

Attach tags to `CVE-2025-7899`