Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1tbTh2LXdtcXgtOGgyas4AAxVo

High EPSS: 0.00063% (0.19722 Percentile) EPSS:
Permalink JSON

Broken Access Control in 3rd party TYPO3 extension "femanager"

Affected Packages Affected Versions Fixed Versions
packagist:in2code/femanager >= 7.0.0, < 7.1.0, >= 6.0.0, < 6.3.4, < 5.5.3 7.1.0, 6.3.4, 5.5.3
5 Dependent packages
8 Dependent repositories
645,216 Downloads total

Affected Version Ranges

All affected versions

2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.5.0, 5.5.1, 5.5.2, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 7.0.0, 7.0.1

All unaffected versions

5.5.3, 5.5.4, 5.5.5, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.4.2, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.3.0, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.5.2, 8.0.0, 8.0.1, 8.1.0, 8.2.0, 8.2.1, 8.2.2, 8.3.0

A missing access check in the InvitationController allows an unauthenticated user with a valid invitation link to set the password of all frontend users.

References:

Identifiers

GHSA-mm8v-wmqx-8h2j

CVE-2023-25013

Risk

Severity

High

EPSS

EPSS Percentage: 0.00063

EPSS Percentile: 0.19722

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 2 years ago

Updated

over 2 years ago

API

JSON