Allele Security Alert
ASA-2019-00585
Identifier(s)
ASA-2019-00585, CVE-2019-16698, EXT-SA-2019-016
Title
Information Disclosure
Vendor(s)
d.k.d Internet Service GmbH
Product(s)
TYPO3 extension Direct Mail (direct_mail)
Affected version(s)
TYPO3 extension Direct Mail (direct_mail) versions before 5.2.3
Fixed version(s)
TYPO3 extension Direct Mail (direct_mail) version 5.2.3
Proof of concept
Unknown
Description
A missing access check in the backend module of the extension allows a backend user without access to configured tables (e.g. fe_users, tt_address) to view and export data of users subscribed to a newsletter.
Technical details
Unknown
Credits
Markus Klein
Reference(s)
Information Disclosure in extension “Direct Mail” (direct_mail)
https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
Direct Mail (direct_mail)
https://extensions.typo3.org/extension/direct_mail/
[TYPO3-announce] [Ticket#201910155760000011] Vulnerabilities in multiple third party TYPO3 CMS extensions
http://lists.typo3.org/pipermail/typo3-announce/2019/000452.html
it’s an newsletter sending extension for the TYPO3 CMS
https://github.com/kartolo/direct_mail/
Security fix release
https://github.com/kartolo/direct_mail/commit/3a70924777294c7fb40e9f6eb3f7627bac58dfd1
CVE-2019-16698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16698
CVE-2019-16698
https://nvd.nist.gov/vuln/detail/CVE-2019-16698
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 23, 2019