CVE-2023-25014

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://typo3.org/security/advisory/typo3-ext-sa-2023-001	Patch Third Party Advisory
https://typo3.org/help/security-advisories	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager::::::typo3::*

Information

Published : 2023-02-01 17:15

Updated : 2023-02-10 05:07

NVD link : CVE-2023-25014

Mitre link : CVE-2023-25014

JSON object : View

CWE

CWE-306

Missing Authentication for Critical Function

Products Affected

in2code

femanager

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2023-001", "name": "https://typo3.org/security/advisory/typo3-ext-sa-2023-001", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://typo3.org/help/security-advisories", "name": "https://typo3.org/help/security-advisories", "tags": ["Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-306"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-25014", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2023-02-02T01:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.1.0", "versionStartIncluding": "7.0.0"}, {"cpe23Uri": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "6.3.4", "versionStartIncluding": "6.0.0"}, {"cpe23Uri": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.5.3"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-10T13:07Z"}

7.5 /10