GitHub Advisory DatabaseGHSA-59M9-P6CM-94Q5TYPO3 Extension femanager vulnerable to Broken Access Control
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
17.0%
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.
Affected configurations
References
github.com/advisories/GHSA-59m9-p6cm-94q5
github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2022-44543.yaml
github.com/in2code-de/femanager/commit/827edbc767b1cb6c0cb77d82e46b88fea3b22ad9
github.com/in2code-de/femanager/releases/tag/5.5.2
github.com/in2code-de/femanager/releases/tag/6.3.3
github.com/in2code-de/femanager/releases/tag/7.0.1
nvd.nist.gov/vuln/detail/CVE-2022-44543
typo3.org/help/security-advisories
typo3.org/security/advisory/typo3-ext-sa-2022-015
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
17.0%