The extension fails to properly sanitize user input and is susceptible to SQL Injection.
A missing access check in the backend module of the extension allows a backend user without access to configured tables (e.g. fe_users, tt_address) to view and export data of users subscribed to a newsletter.
The extension fails to sanitize user input which allows to execute arbitrary Extbase actions resulting in Remote Code Execution.
The extension allows to upload arbitrary files to the webserver. For versions 1.2.2 and below, this vulnerability results in Remote Code Execution. In versions later than 1.2.2, the vulnerability can result in Denial of Service, since the webspace can be filled up with arbitrary files. The extension also includes jQuery 2.2.4 which is known to be vulnerable against Cross Site Scripting.
It has been discovered that FormEngine and DataHandler are vulnerable to insecure deserialization. A valid backend user account is needed in order to exploit this vulnerability.