GoogleOSV:GHSA-59M9-P6CM-94Q5TYPO3 Extension femanager vulnerable to Broken Access Control
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.0005 Low
EPSS
Percentile
17.1%
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.
References
github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2022-44543.yaml
github.com/in2code-de/femanager
github.com/in2code-de/femanager/commit/827edbc767b1cb6c0cb77d82e46b88fea3b22ad9
github.com/in2code-de/femanager/releases/tag/5.5.2
github.com/in2code-de/femanager/releases/tag/6.3.3
github.com/in2code-de/femanager/releases/tag/7.0.1
nvd.nist.gov/vuln/detail/CVE-2022-44543
typo3.org/help/security-advisories
typo3.org/security/advisory/typo3-ext-sa-2022-015
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.0005 Low
EPSS
Percentile
17.1%