ecosyste.ms

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS05M2o0LXY4MzgtODc2N84AA2Pm

Moderate

Permalink JSON

TYPO3 extension femanager Broken Access Control vulnerability

Affected Packages	Affected Versions	Fixed Versions
packagist:in2code/femanager	>= 7.0.0, < 7.2.2	7.2.2
5 Dependent packages 8 Dependent repositories 645,216 Downloads total Affected Version Ranges All affected versions 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1 All unaffected versions 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.4.2, 7.2.2, 7.2.3, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.5.2, 8.0.0, 8.0.1, 8.1.0, 8.2.0, 8.2.1, 8.2.2, 8.3.0

femanager fails to check access permissions for the invitation component. Depending on the configuration of the plugin, a remote user can create frontend user accounts with access to configured frontend groups.

References: