CVE-2023-25013

Overview

An issue was discovered in the femanager extension for TYPO3, affecting versions before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 [1]. The vulnerability stems from missing access checks in the InvitationController [4]. This broken access control flaw allows an unauthenticated attacker with a valid invitation link to arbitrarily set the password of any frontend user [4].

Exploitation

To exploit this vulnerability, an attacker only needs a valid invitation link from the extension's invitation component [4]. No prior authentication is required, and the attack is performed over the network with low complexity [4]. The issue is only exploitable when the invitation component is configured and used on the website [4].

Impact

Successful exploitation gives the attacker the ability to change the password of all frontend users [1][4]. This can lead to account takeover, unauthorized access to user accounts, and potential data exposure or further compromise of the TYPO3 instance [4]. The CVSS score is rated High (8.3), reflecting the high impact on integrity and low barriers to attack [4].

Mitigation

The TYPO3 Security Team has released patched versions: 5.5.3, 6.3.4, and 7.1.0 [1][4]. Users are strongly advised to update immediately via the TYPO3 extension manager or Packagist [4]. No workarounds have been provided for the vulnerable versions [4].