CVE-2025-7900: Femanager extension for TYPO3 allows Insecure Direct Object Reference

July 22, 2025 (updated November 10, 2025)

The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0.

References

github.com/advisories/GHSA-rc5f-3hfv-jxp2
github.com/in2code-de/femanager
github.com/in2code-de/femanager/commit/9bd9fbded4cf31f69bfe03c55d406e79050f8069
nvd.nist.gov/vuln/detail/CVE-2025-7900
typo3.org/security/advisory/typo3-ext-sa-2025-010

Code Behaviors & Features

Detect and mitigate CVE-2025-7900 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →