Headline
GHSA-p6xx-fhfw-7mj7: Configuration Injection in extension "Direct Mail" (direct_mail)
The “Configuration” backend module of the extension allows an authenticated user to write arbitrary page TSConfig for folders configured as “Direct Mail”. Exploiting the vulnerability may lead to Configuration Injection (TYPO3 10.4 and above) and to Arbitrary Code Execution (TYPO3 9.5 and below).
A valid backend user account having access to the Direct Mail “Configuration” backend module is needed in order to exploit this vulnerability.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-50461
Configuration Injection in extension “Direct Mail” (direct_mail)
High severity GitHub Reviewed Published Dec 13, 2023 to the GitHub Advisory Database • Updated Dec 13, 2023
Package
composer directmailteam/direct-mail (Composer)
Affected versions
>= 8.0.0, < 9.5.2
>= 7.0.0, < 7.0.3
< 6.0.3
Patched versions
9.5.2
7.0.3
6.0.3
Description
Published to the GitHub Advisory Database
Dec 13, 2023
Last updated
Dec 13, 2023