=====================================================================

                              CERT-Renater

                    Note d'Information No. 2023/VULN375

_____________________________________________________________________

DATE                : 05/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running femanager for TYPO3 versions
                                   prior to 7.2.2.

=====================================================================
https://typo3.org/security/advisory/typo3-ext-sa-2023-008
_____________________________________________________________________

TYPO3-EXT-SA-2023-008: Broken Access Control in extension "femanager"
(femanager)

It has been discovered that the extension "femanager" (femanager) is
susceptible to Broken Access Control.

     Release Date: October 04, 2023
     Component Type: Third party extension. This extension is not a
                      part of the TYPO3 default installation.
     Component: "femanager" (femanager)
     Composer Package Name: in2code/femanager
     Vulnerability Type: Broken Access Control
     Affected Versions: 7.0.0 - 7.2.1
     Severity: Medium
     Suggested CVSS: 
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
     References: CVE-2023-45023, CWE-284


Problem Description

The extension fails to check access permissions for the invitation
component. Depending on the configuration of the plugin, a remote user
can create frontend user accounts with access to configured frontend
groups.

Note, that the issue is only exploitable, if the invitation component
of the extension is configured and used on the website.


Solution

An updated version 7.2.2 is  available from the TYPO3 extension manager,
packagist and at 
https://extensions.typo3.org/extension/download/femanager/7.2.2/zip
Users of the extension are advised to update the extension as soon as
possible.


Credits

Thanks to Steffen Keuper for reporting the vulnerability and to
Stefan Busemann for providing an updated version of the extension.


General Advice

Follow the recommendations that are given in the TYPO3 Security
Guide. Please subscribe to the typo3-announce mailing list.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================