CVE-2024-47047: 
PHP vulnerability analysis and mitigation

An issue was discovered in the powermail extension through 12.4.0 for TYPO3. The vulnerability (CVE-2024-47047) was disclosed on September 17, 2024, affecting multiple versions of the powermail extension. The vulnerability exists in the extension's failure to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) (TYPO3 Advisory).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) with a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue is tracked as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability affects multiple versions of the powermail extension including versions up to 7.5.0, 8.0.0-8.5.0, 9.0.0-10.9.0, and 12.0.0-12.4.0 (NVD).

The vulnerability allows an unauthenticated attacker to display user-submitted data of all forms persisted by the extension. This exposure is particularly concerning when the extension is configured to save submitted form data to the database, the powermail plugin's redirect setting is not configured, and the submit page text contains variables with sensitive user-submitted data (TYPO3 Advisory).

Fixed versions have been released: 7.5.1, 8.5.1, 10.9.1, and 12.4.1. Users are advised to update their installations to these patched versions as soon as possible. The updates are available through the TYPO3 extension manager, packagist, and the TYPO3 extension repository (TYPO3 Advisory).