CVE-2022-44543
MEDIUM6.5EPSS 0.23%TYPO3 Extension femanager vulnerable to Broken Access Control
發布日:2022/11/3修改日:2024/11/30
描述
The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The `usergroup.inList` validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field usergroup is available in the registration form. Versions 5.5.2, 6.3.3, and 7.0.1 contain patches.
受影響套件(1)
- Packagist/in2code/femanager>= 7.0.0, < 7.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-44543
- PATCHhttps://github.com/in2code-de/femanager
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2022-44543.yaml
- WEBhttps://github.com/in2code-de/femanager/commit/827edbc767b1cb6c0cb77d82e46b88fea3b22ad9
- WEBhttps://github.com/in2code-de/femanager/releases/tag/5.5.2
- WEBhttps://github.com/in2code-de/femanager/releases/tag/6.3.3
- WEBhttps://github.com/in2code-de/femanager/releases/tag/7.0.1
- WEBhttps://typo3.org/help/security-advisories
- WEBhttps://typo3.org/security/advisory/typo3-ext-sa-2022-015