Access Control Bypass Affecting in2code/femanager package, versions >=7.0.0, <7.2.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-IN2CODEFEMANAGER-6124886
- published 14 Dec 2023
- disclosed 13 Dec 2023
- credit David Brauer
Introduced: 13 Dec 2023
CVE-2023-50459 Open this link in a new tabHow to fix?
Upgrade in2code/femanager to version 7.2.3 or higher.
Overview
in2code/femanager is a Modern TYPO3 Frontend User Registration.
Affected versions of this package are vulnerable to Access Control Bypass due to improper access permissions validation for the edit user component. An authenticated front-end user can use the vulnerability to either edit the data of various front-end users or delete various front-end user accounts.
Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.