CVE-2025-7899

EPSS 0.27%

Powermail extension for TYPO3 allows Insecure Direct Object Reference

Published: 7/22/2025Modified: 7/22/2025

Description

The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.

Affected packages (1)

Packagist/in2code/powermail>= 12.0.0, < 12.5.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-7899
PATCHhttps://github.com/in2code-de/powermail
WEBhttps://github.com/in2code-de/powermail/commit/b39e129c5e2a797f0ccf271fea220c7933ca77bc
WEBhttps://typo3.org/security/advisory/typo3-ext-sa-2025-009