GMS-2022-6272: TYPO3 Extension femanager vulnerable to Broken Access Control
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2022-44543.yaml
- github.com/advisories/GHSA-59m9-p6cm-94q5
- github.com/in2code-de/femanager/commit/827edbc767b1cb6c0cb77d82e46b88fea3b22ad9
- github.com/in2code-de/femanager/releases/tag/5.5.2
- github.com/in2code-de/femanager/releases/tag/6.3.3
- github.com/in2code-de/femanager/releases/tag/7.0.1
- typo3.org/security/advisory/typo3-ext-sa-2022-015
Detect and mitigate GMS-2022-6272 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →