CVE-2024-45233 is a broken access control vulnerability found in the Powermail extension for TYPO3 CMS, specifically in versions up to 12.3.5. The issue stems from insufficient or missing access checks in the OutputController, which handles various actions related to form data management. Because these actions can be called directly without proper authorization verification, an unauthenticated attacker can exploit this flaw to perform unauthorized operations such as editing, updating, deleting, or exporting data from persisted forms. The exploitability depends on the configuration and usage of Powermail Frontend plugins, which are responsible for rendering and managing forms on TYPO3 websites. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 base score is 7.3, reflecting a high severity due to the potential impact on confidentiality, integrity, and availability of form data. The vulnerability is tracked under CWE-284 (Improper Access Control). Fixed versions have been released (7.5.0, 8.5.0, 10.9.0, and 12.4.0), and users are strongly advised to upgrade. No known exploits in the wild have been reported yet, but the ease of exploitation and impact warrant immediate attention.

The vulnerability allows attackers to bypass access controls and manipulate form data without authentication, which can lead to multiple adverse outcomes. Confidentiality is compromised as attackers can export sensitive data submitted via forms, potentially exposing personal or business-critical information. Integrity is affected since attackers can modify or delete form data, undermining trust in the data's accuracy and reliability. Availability may also be impacted if attackers delete critical form submissions or disrupt form functionality. Organizations relying on Powermail for contact forms, surveys, or data collection risk data breaches, regulatory non-compliance, and reputational damage. Given TYPO3's use in government, education, and enterprise environments, the threat extends to sensitive sectors where data integrity and confidentiality are paramount. The lack of authentication requirement and remote exploitability increase the risk of widespread attacks if patches are not applied promptly.

1. Immediately upgrade Powermail extension to one of the fixed versions: 7.5.0, 8.5.0, 10.9.0, or 12.4.0, depending on your TYPO3 version. 2. Review and restrict access to Powermail Frontend plugins configurations, ensuring that only necessary actions are enabled and exposed. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting Powermail OutputController endpoints. 4. Conduct thorough audits of form data to identify any unauthorized changes or exports that may have occurred prior to patching. 5. Monitor TYPO3 logs for unusual activity related to Powermail actions, especially those that modify or export data. 6. Limit exposure of TYPO3 backend and frontend interfaces to trusted networks or VPNs where feasible. 7. Educate administrators and developers on secure configuration practices for TYPO3 extensions, emphasizing access control enforcement. 8. Consider additional compensating controls such as rate limiting and IP blacklisting to reduce attack surface until patches are applied.