CVE-2019-16698
low-risk
Published 2019-10-16
The direct_mail (aka Direct Mail) extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user (with restricted permissions to the fe_users table) to view and export data of frontend users who are subscribed to a newsletter.
Do I need to act?
-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Direct Mail
Affected Vendors
References (4)
Third Party Advisory
https://extensions.typo3.org/extension/direct_mail
Third Party Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
Third Party Advisory
https://extensions.typo3.org/extension/direct_mail
Third Party Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2019-016/
23
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal