CVE-2025-7899
published 2025-07-22CVE-2025-7899: The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects…
PriorityP337medium6CVSS 4.0
AVNACLATPPRLUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.27%
19.2th percentile
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| in2code | powermail | >= 12.0.0 < 12.5.3 | 12.5.3 |
| in2code | powermail | >= 13.0.0 < 13.0.1 | 13.0.1 |
| typo3 | extension_powermail | — | — |
| typo3 | extension_powermail | 12.0.0 – 12.5.2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Powermail extension for TYPO3 allows Insecure Direct Object Reference
ghsa·2025-07-22
CVE-2025-7899 [MEDIUM] CWE-639 Powermail extension for TYPO3 allows Insecure Direct Object Reference
Powermail extension for TYPO3 allows Insecure Direct Object Reference
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.
OSV
Powermail extension for TYPO3 allows Insecure Direct Object Reference
osv·2025-07-22
CVE-2025-7899 [MEDIUM] Powermail extension for TYPO3 allows Insecure Direct Object Reference
Powermail extension for TYPO3 allows Insecure Direct Object Reference
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-22
Published