CVE-2023-25013

Name of the Vulnerable Software and Affected Versions femanager extension versions prior to 5.5.3 femanager extension versions 6.x prior to 6.3.4 femanager extension versions 7.x prior to 7.1.0

Description An issue in the femanager extension for TYPO3 is related to missing access checks in the InvitationController. This allows an unauthenticated user to set the password of all frontend users. The exploitation of this issue may enable a remote attacker to set an arbitrary password for system users.

Recommendations For versions prior to 5.5.3, update to version 5.5.3 or later. For versions 6.x prior to 6.3.4, update to version 6.3.4 or later. For versions 7.x prior to 7.1.0, update to version 7.1.0 or later. As a temporary workaround, consider disabling the InvitationController until a patch is available.