Multiple vulnerabilities in Newsletter subscriber managment extension for TYPO3
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-47408 CVE-2022-47409 CVE-2022-47410 CVE-2022-47411 |
| CWE-ID | CWE-863 CWE-284 CWE-668 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Newsletter subscriber managment Web applications / Modules and components for CMS |
| Vendor | Kurt Gusbeth |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Incorrect authorization
EUVDB-ID: #VU70773
Risk: High
CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-47408
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to a CAPTCHA bypass. A remote attacker can cause subscribing many people.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNewsletter subscriber managment: 0.9.8 - 3.2.0
CPE2.3- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.8:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.10:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.10.0:*:*:*:*:typo3:*:*
http://typo3.org/security/advisory/typo3-ext-sa-2022-017
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU70774
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-47409
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can unsubscribe everyone via a series of modified subscription UIDs in deleteAction operations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNewsletter subscriber managment: 0.9.8 - 3.2.0
CPE2.3- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.8:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.10:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.10.0:*:*:*:*:typo3:*:*
http://typo3.org/security/advisory/typo3-ext-sa-2022-017
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU70775
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-47410
CWE-ID:
CWE-668 - Exposure of resource to wrong sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to exposure of resource to wrong sphere. A remote attacker can obtain subscribers via createAction operations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNewsletter subscriber managment: 0.9.8 - 3.2.0
CPE2.3- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.8:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.10:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.10.0:*:*:*:*:typo3:*:*
http://typo3.org/security/advisory/typo3-ext-sa-2022-017
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU70776
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-47411
CWE-ID:
CWE-668 - Exposure of resource to wrong sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to exposure of resource to wrong sphere. A remote attacker can obtain subscribers via unsubscribeAction operations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNewsletter subscriber managment: 0.9.8 - 3.2.0
CPE2.3- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.8:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.9.10:*:*:*:*:typo3:*:*
- cpe:2.3:a:kurt_gusbeth:fp_newsletter:0.10.0:*:*:*:*:typo3:*:*
http://typo3.org/security/advisory/typo3-ext-sa-2022-017
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
