Insecure Direct Object Reference in TYPO3 Powermail Extension
CVE-2025-7899

6MEDIUM

Key Information:

Vendor: Typo3
Status: Extension "powermail"
Vendor: CVE Published:; 22 July 2025

What is CVE-2025-7899?

The Powermail extension for TYPO3 is affected by a security flaw that enables an attacker to exploit an Insecure Direct Object Reference (IDOR). This vulnerability allows for unauthorized access and download of arbitrary files from the webserver, potentially leading to sensitive data exposure. Users of Powermail versions 12.0.0 through 12.5.2 and 13.0.0 should take immediate action to protect their installations.

Affected Version(s)

Extension "powermail" 12.0.0 <= 12.5.2

Extension "powermail" 13.0.0

References

https://typo3.org/security/advisory/typo3-ext-sa-2025-009

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 22, 2025
Vulnerability Reserved
Jul 19, 2025

Credit

Riny van Tiggelen

Typo3

What is CVE-2025-7899?

Affected Version(s)

References

CVSS V4

Timeline

Credit