CVE-2025-7899: 
PHP vulnerability analysis and mitigation

The powermail extension for TYPO3 contains an Insecure Direct Object Reference vulnerability (CVE-2025-7899) discovered on July 22, 2025. This vulnerability affects powermail versions 12.0.0 through 12.5.2 and version 13.0.0. The vulnerability exists in the backend module of the extension, specifically in the 'downloadFile' function's file parameter validation (TYPO3 Advisory).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) with a CVSS v4.0 score of 6.0 (Medium) and vector string AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue is tracked as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability specifically manifests in the backend module's 'downloadFile' function where inadequate validation of the 'file' query parameter occurs (TYPO3 Advisory).

When successfully exploited, this vulnerability allows authenticated attackers with backend module access to download arbitrary files that the webserver has access to. The exploitation requires at least one powermail email record containing an uploaded file to be available in the backend module (TYPO3 Advisory).

The vulnerability has been patched in versions 12.5.3 and 13.0.1 of the powermail extension. Users are strongly advised to update to these versions as soon as possible. The updated versions are available through the TYPO3 extension manager, packagist, and can be downloaded directly from the TYPO3 extension repository (TYPO3 Advisory).