CVE-2023-25014

Vulnerability

Description

The femanager extension for TYPO3, a frontend user registration and management tool, contains a broken access control vulnerability in its InvitationController. The issue stems from missing access checks that fail to verify whether a request is authorized to perform destructive actions. This flaw affects versions before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 [1][3].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the InvitationController. The attack requires that the invitation component of the extension is configured and used on the website; if enabled, no authentication or special privileges are needed. The attacker does not need a valid invitation link to trigger the deletion [3].

Impact

Successful exploitation allows the attacker to delete all frontend users registered on the TYPO3 instance. This can lead to complete loss of user data, disruption of services relying on frontend authentication, and potential privilege escalation if administrative accounts are among the deleted users. The CVSS v3.1 score is 8.2 (High) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L [1][3].

Mitigation

The vulnerability has been patched in femanager versions 5.5.3, 6.3.4, and 7.1.0. Users are strongly advised to update their extension immediately via the TYPO3 extension manager, Composer, or by downloading the fixed versions from the TYPO3 Extension Repository [3]. No workarounds are available; updating is the only reliable mitigation.