CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
17.0%
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList
validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.
github.com/advisories/GHSA-59m9-p6cm-94q5
github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2022-44543.yaml
github.com/in2code-de/femanager/commit/827edbc767b1cb6c0cb77d82e46b88fea3b22ad9
github.com/in2code-de/femanager/releases/tag/5.5.2
github.com/in2code-de/femanager/releases/tag/6.3.3
github.com/in2code-de/femanager/releases/tag/7.0.1
nvd.nist.gov/vuln/detail/CVE-2022-44543
typo3.org/help/security-advisories
typo3.org/security/advisory/typo3-ext-sa-2022-015