Headline
GHSA-59m9-p6cm-94q5: TYPO3 Extension femanager vulnerable to Broken Access Control
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.
Package
composer in2code/femanager (Composer)
Affected versions
>= 7.0.0, < 7.0.1
>= 6.0.0, < 6.3.3
< 5.5.2
Patched versions
7.0.1
6.3.3
5.5.2
Related news
The femanager extension before 5.5.2, 6.x before 6.3.3, and 7.x before 7.0.1 for TYPO3 allows creation of frontend users in restricted groups (if there is a usergroup field on the registration form). This occurs because the usergroup.inList protection mechanism is mishandled.