- Release Date: November 02, 2022
- Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
- Component: "femanager" (femanager)
- Composer Package Name: in2code/femanager
- Vulnerability Type: Broken Access Control
- Affected Versions: 5.5.1 and below, 6.0.0 - 6.3.2, 7.0.0
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
- References: CVE-2022-44543
Problem Description
The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form.
Solution
Updated versions 5.5.2, 6.3.3 and 7.0.1 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/femanager/5.5.2/zip
https://extensions.typo3.org/extension/download/femanager/6.3.3/zip
https://extensions.typo3.org/extension/download/femanager/7.0.1/zip
Users of the extension are advised to update the extension as soon as possible.
Credits
Thanks to André Buchmann for reporting the vulnerability and to Andreas Nedbal and Stefan Busemann for providing updated versions of the extension.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.