It has been discovered that the extension "Newsletter subscriber management" (fp_newsletter) is susceptible to Information Disclosure and Broken Access Control.

Problem Description

The captcha of the extension can be bypassed which may result in automated creation of various newsletter subscribers. It is possible to provide arbitrary subscription UIDs to the deleteAction of the extension resulting in all newsletter subscribers to be unsubscribed. Insufficient access checks in the createAction and unsubscribeAction can be used to obtain data of existing newsletter subscribers.

Solution

Updated versions 1.1.1, 2.1.2  and 3.2.6 are available from the TYPO3 extension manager, packagist and at

https://extensions.typo3.org/extension/download/fp_newsletter/1.1.1/zip

https://extensions.typo3.org/extension/download/fp_newsletter/2.1.2/zip

https://extensions.typo3.org/extension/download/fp_newsletter/3.2.6/zip

Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to Martin Waleczek for reporting the captcha bypass vulnerability and to TYPO3 core & security team member Oliver Hader for reporting the other vulnerabilities. Thanks to Kurt Gusbeth for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.