André Buchmann

**Name of the Vulnerable Software and Affected Versions** femanager extension versions prior to 5.5.2 femanager extension versions 6.x prior to 6.3.3 femanager extension versions 7.x prior to 7.0.1 **Description** The issue allows creation of frontend users in restricted groups if there is a usergroup field on the registration form. This occurs because the `usergroup.inList` protection mechanism is mishandled, allowing the validation to be bypassed. New frontend users created by the extension may be members of groups that are restricted. The vulnerability is only exploitable if the field `usergroup` is available in the registration form. **Recommendations** For femanager extension versions prior to 5.5.2, update to version 5.5.2 or later. For femanager extension versions 6.x prior to 6.3.3, update to version 6.3.3 or later. For femanager extension versions 7.x prior to 7.0.1, update to version 7.0.1 or later. As a temporary workaround, consider removing the `usergroup` field from the registration form until a patch is applied.