CVE-2023-25014

Published: Feb 2, 2023Modified: Mar 26, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.

Affected (3)

Products: In2code: Femanager

In2code

1 product

Femanager

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
In2code Femanager	Before 5.5.3
In2code Femanager	From 6.0.0 to 6.3.4
In2code Femanager	From 7.0.0 to 7.1.0

Related CWEs

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://typo3.org/help/security-advisories

Source: cve@mitre.org

Third Party Advisory

https://typo3.org/security/advisory/typo3-ext-sa-2023-001

Source: cve@mitre.org

PatchThird Party Advisory

https://typo3.org/help/security-advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://typo3.org/security/advisory/typo3-ext-sa-2023-001

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.