CVE-2023-50461: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2023-50461) affects the 'Direct Mail' extension in TYPO3 CMS, discovered and disclosed on December 13, 2023. This Configuration Injection vulnerability impacts multiple versions of the extension: versions 6.0.2 and below, 7.0.0 - 7.0.2, and 8.0.0 - 9.5.1 of the directmailteam/direct-mail package (TYPO3 Advisory).

The vulnerability exists in the 'Configuration' backend module of the extension, which allows authenticated users to write arbitrary page TSConfig for folders configured as 'Direct Mail'. The severity is rated as High with a CVSS v3.1 score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is associated with CWE-15 (External Control of System or Configuration Setting) and CWE-95 (GitHub Advisory).

The impact varies depending on the TYPO3 version in use. For TYPO3 10.4 and above, successful exploitation can lead to Configuration Injection. For TYPO3 9.5 and below, the vulnerability can result in Arbitrary Code Execution. The vulnerability requires a valid backend user account with access to the Direct Mail 'Configuration' backend module (TYPO3 Advisory).

Fixed versions have been released: 6.0.3, 7.0.3, and 9.5.2. Users are strongly advised to update to these patched versions as soon as possible. Additionally, administrators should manually check for suspicious page TSConfig in all folders configured as 'Direct Mail'. The updates are available through the TYPO3 extension manager, packagist, and the TYPO3 extension repository (TYPO3 Advisory).