CVE-2023-25014

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://typo3.org/help/security-advisories	Third Party Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2023-001	Patch Third Party Advisory
https://typo3.org/help/security-advisories	Third Party Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2023-001	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager::::::typo3::*

History

26 Mar 2025, 18:15

Type	Values Removed	Values Added
CWE		CWE-862

Information

Published : 2023-02-02 01:15

Updated : 2025-03-26 18:15

NVD link : CVE-2023-25014

Mitre link : CVE-2023-25014

CVE.ORG link : CVE-2023-25014

JSON object : View

Products Affected

in2code

femanager

CWE

CWE-306

Missing Authentication for Critical Function

CWE-862

Missing Authorization

{"id": "CVE-2023-25014", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-02-02T01:15:08.670", "references": [{"url": "https://typo3.org/help/security-advisories", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://typo3.org/security/advisory/typo3-ext-sa-2023-001", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://typo3.org/help/security-advisories", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://typo3.org/security/advisory/typo3-ext-sa-2023-001", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users."}], "lastModified": "2025-03-26T18:15:23.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "BB2CBCCA-46DF-4A53-A863-E32620C4799E", "versionEndExcluding": "5.5.3"}, {"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "2580AA87-29CC-4C22-9323-89433C175A67", "versionEndExcluding": "6.3.4", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "7233E443-0FB0-40F1-A64A-50678568077B", "versionEndExcluding": "7.1.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}