CVE-2023-50459 – in2code/femanager

Package

Manager: composer
Name: in2code/femanager
Vulnerable Version: >=7.0.0 <7.2.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Broken Access Control in extension "femanager" The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.

Metadata

Created: 2023-12-13T23:11:54Z
Modified: 2023-12-13T23:11:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-4xp5-hr35-84cx/GHSA-4xp5-hr35-84cx.json
CWE IDs: []
Alternative ID: GHSA-4xp5-hr35-84cx
Finding: F039
Auto approve: 1