88 matches found
CVE-2023-25014
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users...
CVE-2023-25013
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users...
TYPO3-EXT-SA-2023-001: Broken Access Control in extension "femanager" (femanager)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2023-001...
TYPO3 Extension femanager vulnerable to Broken Access Control
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only...
GHSA-59M9-P6CM-94Q5 TYPO3 Extension femanager vulnerable to Broken Access Control
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only...
PT-2022-27229 · Typo3 · Femanager
Name of the Vulnerable Software and Affected Versions: femanager extension versions prior to 5.5.2 femanager extension versions 6.x prior to 6.3.3 femanager extension versions 7.x prior to 7.0.1 Description: The issue allows creation of frontend users in restricted groups if there is a usergroup...
TYPO3-EXT-SA-2022-015: Broken Access Control in extension "femanager" (femanager)
More info at https://typo3.org/security/advisory/typo3-ext-sa-2022-015...
TYPO3 femanager extension allows remote frontend users to modify or delete records of other frontend users
The femanager extension before 1.0.9 for TYPO3 allows remote frontend users to modify or delete the records of other frontend users via unspecified vectors...
Missing Authorization
Overview in2code/femanager is a Modern TYPO3 Frontend User Registration. Affected versions of this package are vulnerable to Missing Authorization via unspecified vectors. An attacker can modify or delete the records of other frontend users by exploiting these vectors. Remediation Upgrade...
GHSA-377V-8637-6VQ6 TYPO3 femanager extension allows remote frontend users to modify or delete records of other frontend users
The femanager extension before 1.0.9 for TYPO3 allows remote frontend users to modify or delete the records of other frontend users via unspecified vectors...
TYPO3 femanager 6.3.0 Cross Site Scripting
SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Stored Cross-Site Scripting vulnerability product: TYPO3 extension "femanager" vulnerable version: 6.0.0 - 6.3.0 and 5.5.0 and below fixed version: 6.3.1 and 5.5.1 CVE...
TYPO3 femanager 6.3.0 Cross Site Scripting Vulnerability
======================================================================= title: Stored Cross-Site Scripting vulnerability product: TYPO3 extension "femanager" vulnerable version: 6.0.0 - 6.3.0 and 5.5.0 and below fixed version: 6.3.1 and 5.5.1 CVE number: CVE-2021-36787 impact: Medium homepage:...
Cross-site Scripting in the femanager TYPO3 extension
The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website. Note: If SVG uploads are required, it is recommended to use the TYPO3 extension...
GHSA-F3RF-V9QM-9C89 Cross-site Scripting in the femanager TYPO3 extension
The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website. Note: If SVG uploads are required, it is recommended to use the TYPO3 extension...
Cross-site Scripting (XSS)
femanageris vulnerable to Cross-site Scripting. The vulnerability exists due to insufficient sanitization of user-supplied data in the SVG image. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in...
TYPO3 Cross-Site Scripting Vulnerability (CNVD-2022-17974)
TYPO3 is a free and open source content management system framework CMS/CMF from the TYPO3 Typo3 association in Switzerland.TYPO3 Femanager has a cross-site scripting vulnerability that can be exploited by attackers to XSS through a well-designed SVG document...
CVE-2021-36787
The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document...
CVE-2021-36787
The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document...
CVE-2021-36787
The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document...
CVE-2021-36787
The CVE-2021-36787 issue affects the TYPO3 femanager extension prior to 5.5.1 and 6.x prior to 6.3.1, where a crafted SVG document can trigger Cross-Site Scripting (XSS). The vulnerability arises from how SVG content is handled during user-related operations, allowing injected script when the SVG...