GHSA-4xp5-hr35-84cx

Опубликовано: 13 дек. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Broken Access Control in extension "femanager"

The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts.

Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.

Ссылки

https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2023-50459.yaml
https://typo3.org/security/advisory/typo3-ext-sa-2023-010

Пакеты

Наименование

in2code/femanager

composer

Затронутые версииВерсия исправления

>= 7.0.0, < 7.2.3

7.2.3

5.4 Medium

CVSS3

CVE ID

CVE-2023-50459

5.4 Medium

CVSS3

CVE ID

CVE-2023-50459