Advisories for Composer/Evoweb/Sf-Register package

2026

TYPO3 sf_register extension allows unauthorized assignment of frontend user groups

The create and edit flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.