Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00eHA1LWhyMzUtODRjeM4AA3v8

Broken Access Control in extension "femanager"

The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts.

Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.

Permalink: https://github.com/advisories/GHSA-4xp5-hr35-84cx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00eHA1LWhyMzUtODRjeM4AA3v8
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 12 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-4xp5-hr35-84cx, CVE-2023-50459
References:

Blast Radius: 4.9

Affected Packages

packagist:in2code/femanager

Dependent packages: 5
Dependent repositories: 8
Downloads: 567,898 total
Affected Version Ranges: >= 7.0.0, < 7.2.3
Fixed in: 7.2.3
All affected versions: 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2
All unaffected versions: 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 7.2.3, 7.3.0, 7.4.0, 7.4.1, 8.0.0, 8.0.1, 8.1.0, 8.2.0, 8.2.1