Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00eHA1LWhyMzUtODRjeM4AA3v8
Broken Access Control in extension "femanager"
The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts.
Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.
Permalink: https://github.com/advisories/GHSA-4xp5-hr35-84cxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00eHA1LWhyMzUtODRjeM4AA3v8
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-4xp5-hr35-84cx, CVE-2023-50459
References:
- https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2023-50459.yaml
- https://typo3.org/security/advisory/typo3-ext-sa-2023-010
- https://github.com/advisories/GHSA-4xp5-hr35-84cx
Affected Packages
packagist:in2code/femanager
Dependent packages: 3Dependent repositories: 8
Downloads: 490,494 total
Affected Version Ranges: >= 7.0.0, < 7.2.3
Fixed in: 7.2.3
All affected versions: 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2
All unaffected versions: 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 7.2.3, 8.0.0, 8.0.1