=====================================================================

                              CERT-Renater

                   Note d'Information No. 2023/VULN045

_____________________________________________________________________

DATE                : 02/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running femanager for TYPO3 versions prior
                                  to 5.5.3, 6.3.4, 7.1.0.

=====================================================================
https://typo3.org/security/advisory/typo3-ext-sa-2023-001
_____________________________________________________________________


  Tue. 31st January, 2023
TYPO3-EXT-SA-2023-001: Broken Access Control in extension "femanager"
(femanager)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "femanager" (femanager)
is susceptible to Broken Access Control.

     Release Date: January 31, 2023
     Component Type: Third party extension. This extension is not
a part of the TYPO3 default installation.
     Component: "femanager" (femanager)
     Composer Package Name: in2code/femanager
     Vulnerability Type: Broken Access Control
     Affected Versions: 5.5.2 and below, 6.0.0 - 6.3.3, 7.0.0 - 7.0.1
     Severity: High
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C
     References: CVE-2023-25013, CVE-2023-25014, CWE-284


Problem Description

A missing access check in the InvitationController allows an
unauthenticated user with a valid invitation link to set the
password of all frontend users. Another missing access check
in the InvitationController allows an unauthenticated user
to delete all frontend users.

Note, that the issue is only exploitable, if the invitation
component of the extension is configured and used on the
website.


Solution

Updated versions 5.5.3, 6.3.4 and 7.1.0 are available from
the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/femanager/5.5.3/zip
https://extensions.typo3.org/extension/download/femanager/6.3.4/zip
https://extensions.typo3.org/extension/download/femanager/7.1.0/zip
Users of the extension are advised to update the extension
as soon as possible.


Credits

Thanks to Stefan Busemann for providing updated versions of
the extension.


General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================