Miggo Logo

CVE-2020-12697: Denial of service in direct_mail

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.55213%
Published
5/24/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
directmailteam/direct-mailcomposer< 5.2.45.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unrestricted logging of newsletter link clicks. The security advisory explicitly states the lack of limits on log entries per link. The ClickTrackingController's trackClickAction is the logical entry point for click tracking, and its lack of throttling/constraints aligns with CWE-770. While exact code isn't available, TYPO3 extension patterns and vulnerability context strongly suggest this function's role in the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ir**t_m*il *xt*nsion t*rou** *.*.* *or TYPO* *llows **ni*l o* S*rvi** vi* lo* *ntri*s.

Reasoning

T** vuln*r**ility st*ms *rom unr*stri*t** lo**in* o* n*wsl*tt*r link *li*ks. T** s**urity **visory *xpli*itly st*t*s t** l**k o* limits on lo* *ntri*s p*r link. T** `*li*kTr**kin**ontroll*r`'s `tr**k*li*k**tion` is t** lo*i**l *ntry point *or *li*k t