VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 12, 2023· Updated Aug 3, 2024

CVE-2022-44543

CVE-2022-44543

Description

Femanager TYPO3 extension before 5.5.2, 6.3.3, 7.0.1 mishandles usergroup validation, allowing frontend user registration in restricted groups.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Femanager TYPO3 extension before 5.5.2, 6.3.3, 7.0.1 mishandles usergroup validation, allowing frontend user registration in restricted groups.

Vulnerability

CVE-2022-44543 is a broken access control vulnerability in the femanager TYPO3 extension for frontend user registration. The extension's usergroup validation, specifically the usergroup.inList protection mechanism, fails to properly handle multiple group selections, allowing users to assign themselves to restricted user groups during registration [1][3].

Exploitation

An attacker can exploit this by submitting a registration form with a manipulated usergroup field containing multiple comma-separated group IDs, including groups they are not authorized to join. The original validation logic only checked if the submitted single value was in the allowed list, but when multiple values were provided, the check was bypassed [3]. The fix ensures that each submitted group ID is individually validated against the allowed list.

Impact

Successful exploitation allows an unauthenticated attacker to register as a frontend user in restricted groups, potentially gaining elevated privileges or access to protected content that should only be accessible to members of those groups [1].

Mitigation

The vulnerability is fixed in femanager versions 5.5.2, 6.3.3, and 7.0.1 [1][4]. Users are strongly advised to update their installations immediately. No workarounds are documented.

References
  1. NVD - CVE-2022-44543
  2. [BUGFIX] Broken Access Control in Usergroup Validation · in2code-de/femanager@827edbc
  3. GitHub - in2code-de/femanager: Modern TYPO3 Frontend User RegistrationTYPO3 Frontend User Registration and Management based on Extbase and Fluid and on TYPO3 (version 8 or newer) and the possibility to extend it to your needs.

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
in2code/femanagerPackagist
>= 7.0.0, < 7.0.17.0.1
in2code/femanagerPackagist
>= 6.0.0, < 6.3.36.3.3
in2code/femanagerPackagist
< 5.5.25.5.2

Affected products

2

Patches

1
827edbc767b1

[BUGFIX] Broken Access Control in Usergroup Validation

https://github.com/in2code-de/femanagerStefan BusemannOct 31, 2022via ghsa
commit
4 files changed · +124 1
  • Classes/Domain/Validator/AbstractValidator.php+4 1 modified
    @@ -364,8 +364,11 @@ protected function stringContainsSpaceCharacter($value)
      */
     protected function validateInList($value, $validationSettingList)
     {
+        $valueList = GeneralUtility::trimExplode(',', $value, true);
         $validationSettings = GeneralUtility::trimExplode(',', $validationSettingList, true);
-        return in_array($value, $validationSettings);
+        $diff = array_diff($valueList, $validationSettings);
+
+        return empty($diff);
     }
 
     /**
  • Classes/Domain/Validator/ServersideValidator.php+14 0 modified
    @@ -7,6 +7,7 @@
 use In2code\Femanager\Domain\Model\User;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Extbase\Domain\Model\FileReference;
+use TYPO3\CMS\Extbase\Persistence\ObjectStorage;
 use TYPO3\CMS\Extbase\Reflection\ObjectAccess;
 
 /**
@@ -306,6 +307,19 @@ protected function checkAnyValidation($validation, $value, $validationSetting, $
     protected function getValue($user, $fieldName)
     {
         $value = $this->getValueFromProperty($user, $fieldName);
+
+        if ($value instanceof ObjectStorage) {
+            $values = [];
+
+            foreach ($value as $object) {
+                if (method_exists($object, 'getUid')) {
+                    $values[] = $object->getUid();
+                }
+            }
+
+            return implode(',', $values);
+        }
+
         if (is_object($value)) {
             if (method_exists($value, 'getUid')) {
                 $value = $value->getUid();
  • Tests/Unit/Domain/Validator/AbstractValidatorTest.php+20 0 modified
    @@ -732,6 +732,16 @@ public function validateInListReturnsBoolDataProvider()
                 'a',
                 true
             ],
+            [
+                '1,2',
+                '1,2,3',
+                true
+            ],
+            [
+                '1,2',
+                '3,2,1',
+                true
+            ],
             [
                 '23',
                 '1,234,3',
@@ -752,6 +762,16 @@ public function validateInListReturnsBoolDataProvider()
                 'bac',
                 false
             ],
+            [
+                '1,2,3',
+                '1,2',
+                false
+            ],
+            [
+                '1,2,3',
+                '2,1',
+                false
+            ]
         ];
     }
  • Tests/Unit/Domain/Validator/ServersideValidatorTest.php+86 0 added
    @@ -0,0 +1,86 @@
+<?php
+
+namespace In2code\Femanager\Tests\Unit\Domain\Validator;
+
+use In2code\Femanager\Domain\Model\User;
+use In2code\Femanager\Domain\Model\UserGroup;
+use In2code\Femanager\Domain\Validator\ServersideValidator;
+use Nimut\TestingFramework\TestCase\UnitTestCase;
+
+/**
+ * Class AbstractValidatorTest
+ * @coversDefaultClass \In2code\Femanager\Domain\Validator\ServersideValidator
+ */
+class ServersideValidatorTest extends UnitTestCase
+{
+
+    /**
+     * @var \In2code\Femanager\Domain\Validator\ServersideValidator
+     */
+    protected $generalValidatorMock;
+
+    /**
+     * Make object available
+     */
+    public function setUp(): void
+    {
+        $this->generalValidatorMock = $this->getAccessibleMock(ServersideValidator::class, ['dummy']);
+    }
+
+    /**
+     * Remove object
+     */
+    public function tearDown(): void
+    {
+        unset($this->generalValidatorMock);
+    }
+
+    /**
+     * @covers ::getValue
+     */
+    public function testGetValueForObjectStorage(): void
+    {
+        $user = new User();
+
+        $usergroup1 = $this->getUserGroupMock(1);
+        $usergroup2 = $this->getUserGroupMock(2);
+
+        $user->addUsergroup($usergroup1);
+        $user->addUsergroup($usergroup2);
+
+        $fieldName = 'usergroup';
+
+        $result = $this->generalValidatorMock->_callRef('getValue', $user, $fieldName);
+
+        self::assertSame('1,2', $result);
+    }
+
+    /**
+     * @covers ::getValue
+     */
+    public function testGetValueForObject(): void
+    {
+        $user = new User('testuser');
+
+        $fieldName = 'username';
+
+        $result = $this->generalValidatorMock->_callRef('getValue', $user, $fieldName);
+
+        self::assertSame('testuser', $result);
+    }
+
+    /**
+     * @param int $uid
+     * @return UserGroup&\PHPUnit\Framework\MockObject\MockObject|\PHPUnit\Framework\MockObject\MockObject
+     */
+    protected function getUserGroupMock(int $uid = 1)
+    {
+        $mockClass = $this->getMockBuilder(UserGroup::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $mockClass->method('getUid')->willReturn($uid);
+
+        return $mockClass;
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.