CVE-2024-45232 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the powermail extension for TYPO3 CMS versions through 12.3.5. The root cause is the failure to properly validate the 'mail' parameter in the confirmationAction endpoint, which is responsible for displaying confirmation data after form submission. Because the extension by default saves submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), an unauthenticated attacker can manipulate this parameter to access user-submitted data from all stored forms. This bypasses access controls and exposes potentially sensitive information such as names, emails, and other form inputs. The vulnerability affects multiple major versions of the extension, and fixed releases have been issued (7.5.0, 8.5.0, 10.9.0, and 12.4.0). The CVSS 3.1 score of 7.3 indicates a high-severity issue due to its network vector, lack of required privileges or user interaction, and impacts on confidentiality, integrity, and availability. Although no active exploitation has been reported, the vulnerability's nature and default configuration make it a significant risk for TYPO3 sites using powermail to store form data.

The primary impact of CVE-2024-45232 is unauthorized disclosure of user-submitted form data, which can include personally identifiable information (PII), contact details, or other sensitive inputs collected via powermail forms. This compromises confidentiality and may lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. Integrity and availability impacts are rated low to moderate but exist because attackers could potentially manipulate the mail parameter to disrupt normal form confirmation processes or cause unintended data exposure. Since the vulnerability requires no authentication and can be exploited remotely over the network, the attack surface is broad. Organizations relying on powermail for critical user interactions or data collection are at risk of data leakage, which could be leveraged for further attacks such as phishing or social engineering. The default enabling of database storage increases the likelihood of exposure in typical deployments.

To mitigate CVE-2024-45232, organizations should immediately upgrade the powermail extension to one of the fixed versions: 7.5.0, 8.5.0, 10.9.0, or 12.4.0, depending on their TYPO3 version. If upgrading is not immediately feasible, disable the database storage of submitted form data by setting plugin.tx_powermail.settings.db.enable=0 to prevent data persistence and exposure. Additionally, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the confirmationAction endpoint with anomalous mail parameter values. Review and tighten access controls around form data display endpoints. Conduct audits of stored form data to identify any prior unauthorized access. Monitor logs for unusual access patterns to powermail confirmation pages. Finally, educate developers and administrators about secure parameter validation and the risks of IDOR vulnerabilities to prevent recurrence.