CVE-2023-50459

MEDIUM5.4

Broken Access Control in extension "femanager"

發布日:2023/12/13修改日:2024/11/30

描述

The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.

受影響套件(1)

Packagist/in2code/femanager>= 7.0.0, < 7.2.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

參考連結(2)

WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2023-50459.yaml
WEBhttps://typo3.org/security/advisory/typo3-ext-sa-2023-010