CVE-2022-47409

Published: Dec 14, 2022Modified: Apr 21, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Attackers can unsubscribe everyone via a series of modified subscription UIDs in deleteAction operations.

Affected (5)

Products: Fp Newsletter Project: Fp Newsletter

Fp Newsletter Project

1 product

Fp Newsletter

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Fp Newsletter Project Fp Newsletter	Before 1.1.1
Fp Newsletter Project Fp Newsletter	From 2.0.0 to 2.1.2
Fp Newsletter Project Fp Newsletter	From 2.2.1 to 2.4.0
Fp Newsletter Project Fp Newsletter	From 3.0.0 to 3.2.6
Fp Newsletter Project Fp Newsletter	Version 1.2.0

Related CWEs

CWE-285

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://typo3.org/security/advisory/typo3-ext-sa-2022-017

Source: cve@mitre.org

PatchVendor Advisory

https://typo3.org/security/advisory/typo3-ext-sa-2022-017

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.