TYPO3-EXT-SA-2022-015: Broken Access Control in extension "femanager" (femanager)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "femanager" (femanager) is susceptible to Broken Access Control.

Problem Description

The usergroup.inList  validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form.

Solution

Updated versions 5.5.2, 6.3.3 and 7.0.1 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/femanager/5.5.2/zip
https://extensions.typo3.org/extension/download/femanager/6.3.3/zip
https://extensions.typo3.org/extension/download/femanager/7.0.1/zip
Users of the extension are advised to update the extension as soon as possible.

Credits

Thanks to André Buchmann for reporting the vulnerability and to Andreas Nedbal and Stefan Busemann for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.