← back
CVE-2025-7899

Insecure Direct Object Reference in extension "powermail" (powermail)

CVSS 6 MEDIUMEPSS 0.3%CWE-639
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
22 Jul 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
TYPO3 · Extension "powermail"

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://typo3.org/security/advisory/typo3-ext-sa-2025-009