ASA-2019-00585 – TYPO3 extension Direct Mail (direct_mail): Information Disclosure

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00585

Identifier(s)

ASA-2019-00585, CVE-2019-16698, EXT-SA-2019-016

Title

Information Disclosure

Vendor(s)

d.k.d Internet Service GmbH

Product(s)

TYPO3 extension Direct Mail (direct_mail)

Affected version(s)

TYPO3 extension Direct Mail (direct_mail) versions before 5.2.3

Fixed version(s)

TYPO3 extension Direct Mail (direct_mail) version 5.2.3

Proof of concept

Unknown

Description

A missing access check in the backend module of the extension allows a backend user without access to configured tables (e.g. fe_users, tt_address) to view and export data of users subscribed to a newsletter.

Technical details

Unknown

Credits

Markus Klein

Reference(s)

Information Disclosure in extension “Direct Mail” (direct_mail)
https://typo3.org/security/advisory/typo3-ext-sa-2019-016/

Direct Mail (direct_mail)
https://extensions.typo3.org/extension/direct_mail/

[TYPO3-announce] [Ticket#201910155760000011] Vulnerabilities in multiple third party TYPO3 CMS extensions
http://lists.typo3.org/pipermail/typo3-announce/2019/000452.html

it’s an newsletter sending extension for the TYPO3 CMS
https://github.com/kartolo/direct_mail/

Security fix release
https://github.com/kartolo/direct_mail/commit/3a70924777294c7fb40e9f6eb3f7627bac58dfd1

CVE-2019-16698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16698

CVE-2019-16698
https://nvd.nist.gov/vuln/detail/CVE-2019-16698

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 23, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.