CVE-2022-47408: 
PHP vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-47408) was discovered in the fp_newsletter (Newsletter subscriber management) extension for TYPO3 CMS. The vulnerability affects versions before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6. The issue was disclosed on December 14, 2022, and involves a CAPTCHA bypass vulnerability that could lead to mass unauthorized subscriptions (TYPO3 Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 score of 9.1 (CRITICAL), indicating its severe nature. The technical issue stems from a bypass in the CAPTCHA implementation that could be exploited without requiring special privileges or user interaction. The vulnerability is classified under Broken Access Control (CWE-284) and Information Disclosure (CWE-200) categories (TYPO3 Advisory).

The primary impact of this vulnerability is the potential for automated creation of numerous newsletter subscribers without proper verification. This could lead to abuse of the newsletter system and potentially affect system resources and legitimate subscriber management (TYPO3 Advisory).

The vulnerability has been patched in versions 1.1.1, 2.1.2, and 3.2.6 of the fp_newsletter extension. Users are strongly advised to update to these patched versions as soon as possible. The updated versions are available through the TYPO3 extension manager, packagist, and the official TYPO3 extension repository (TYPO3 Advisory).

The vulnerability was responsibly disclosed with credit given to Martin Waleczek for reporting the CAPTCHA bypass vulnerability and TYPO3 core & security team member Oliver Hader for reporting related vulnerabilities. Kurt Gusbeth was acknowledged for providing the updated versions of the extension (TYPO3 Advisory).