Headline
GHSA-3p9x-xxx6-2w4p: Broken Access Control in 3rd party TYPO3 extension "femanager"
A missing access check in the InvitationController
allows an unauthenticated user to delete all frontend users.
Broken Access Control in 3rd party TYPO3 extension “femanager”
High severity GitHub Reviewed Published Feb 2, 2023 to the GitHub Advisory Database • Updated Feb 8, 2023
Related news
CVE-2023-25014: Broken Access Control in extension "femanager" (femanager)
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.