CVE-2025-48202 – in2code/femanager

Package

Manager: composer
Name: in2code/femanager
Vulnerable Version: >=8.0.0 <8.2.2 || >=7.0.0 <7.4.2 || >=6.0.0 <6.4.1 || >=5.5.0 <5.5.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00042 pctl0.11947

Details

The femanager TYPO3 extension allows Insecure Direct Object Reference Insecure Direct Object Reference (IDOR) in the femanager TYPO3 extension allows attackers to view frontend user data via a user parameter in the newAction of the newController.

Metadata

Created: 2025-05-21T17:19:30Z
Modified: 2025-05-21T19:05:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-xxwr-wv9g-7jw3/GHSA-xxwr-wv9g-7jw3.json
CWE IDs: ["CWE-284", "CWE-425", "CWE-639"]
Alternative ID: GHSA-xxwr-wv9g-7jw3
Finding: F039
Auto approve: 1