- Release Date: November 02, 2022
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "femanager" (femanager)
- Composer Package Name: in2code/femanager
- Vulnerability Type: Broken Access Control
- Affected Versions: 5.5.1 and below, 6.0.0 - 6.3.2, 7.0.0
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
- References: CVE-2022-44543
The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form.
Updated versions 5.5.2, 6.3.3 and 7.0.1 are available from the TYPO3 extension manager, packagist and at
Users of the extension are advised to update the extension as soon as possible.
Thanks to André Buchmann for reporting the vulnerability and to Andreas Nedbal and Stefan Busemann for providing updated versions of the extension.