CVE-2025-7899 – in2code/powermail

Package

Manager: composer
Name: in2code/powermail
Vulnerable Version: >=12.0.0 <12.5.3 || =13.0.0 || >=13.0.0 <13.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0005 pctl0.14977

Details

Powermail extension for TYPO3 allows Insecure Direct Object Reference The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.

Metadata

Created: 2025-07-22T12:30:43Z
Modified: 2025-07-22T14:37:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x769-3cwv-f8hc/GHSA-x769-3cwv-f8hc.json
CWE IDs: ["CWE-639"]
Alternative ID: GHSA-x769-3cwv-f8hc
Finding: F039
Auto approve: 1