Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01OW05LXA2Y20tOTRxNc4AAvsG

TYPO3 Extension femanager vulnerable to Broken Access Control

The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.

Permalink: https://github.com/advisories/GHSA-59m9-p6cm-94q5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OW05LXA2Y20tOTRxNc4AAvsG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 5 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-59m9-p6cm-94q5, CVE-2022-44543
References:

Repository: https://github.com/in2code-de/femanager
Blast Radius: 5.9

Affected Packages

packagist:in2code/femanager

Dependent packages: 3
Dependent repositories: 8
Downloads: 490,824 total
Affected Version Ranges: < 5.5.2, >= 6.0.0, < 6.3.3, >= 7.0.0, < 7.0.1
Fixed in: 5.5.2, 6.3.3, 7.0.1
All affected versions: 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.5.1, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 7.0.0
All unaffected versions: 5.5.2, 5.5.3, 5.5.4, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 8.0.0, 8.0.1