#VU27939 Allocation of Resources Without Limits or Throttling in Direct Mail - CVE-2020-12697

Cybersecurity Help s.r.o.

Published: 2020-05-15

Vulnerability identifier: #VU27939

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-12697

CWE-ID: CWE-770

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Direct Mail
Web applications / Modules and components for CMS

Vendor: TYPO3

Description

The vulnerability allows a remote attacker to perofrm a denial of service (DoS) attack.

The vulnerability exists due to a functionality to log clicks on links in sent newsletters does not limit the amount of log entries generated per link. A remote attacker can use a valid link to fill the log table with a huge amount of records and cause a denial of service condition on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Direct Mail: 1.0.8 - 5.2.3

External links
https://typo3.org/help/security-advisories
https://typo3.org/security/advisory/typo3-ext-sa-2020-005

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Direct Mail extension for TYPO3