CVE-2022-44543 – in2code/femanager

Package

Manager: composer
Name: in2code/femanager
Vulnerable Version: >=7.0.0 <7.0.1 || >=6.0.0 <6.3.3 || >=0 <5.5.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00259 pctl0.49063

Details

TYPO3 Extension femanager vulnerable to Broken Access Control The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The `usergroup.inList` validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.

Metadata

Created: 2022-11-03T18:10:52Z
Modified: 2023-12-12T19:43:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-59m9-p6cm-94q5/GHSA-59m9-p6cm-94q5.json
CWE IDs: []
Alternative ID: GHSA-59m9-p6cm-94q5
Finding: F039
Auto approve: 1