TYPO3 extension femanager Broken Access Control vulnerability
Description
TYPO3 extension femanager has a broken access control in its invitation component, allowing unauthenticated remote users to create frontend user accounts with group memberships.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TYPO3 extension femanager has a broken access control in its invitation component, allowing unauthenticated remote users to create frontend user accounts with group memberships.
Vulnerability
Description
The TYPO3 extension femanager (versions 7.0.0 through 7.2.1) fails to properly check access permissions for its invitation component. This is a broken access control vulnerability (CWE-284) that allows unauthorized account creation [4].
Exploitation
The vulnerability is exploitable only when the invitation component is configured and actively used on the website. An unauthenticated remote attacker can exploit this flaw to create frontend user accounts without any prior authentication or special privileges [4].
Impact
Successful exploitation enables the attacker to create frontend user accounts that are automatically assigned to configured frontend user groups. This can lead to unauthorized access to restricted content or functionality that is normally limited to authenticated users in those groups. The CVSS 3.1 base score is 5.4 (Medium), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N [4].
Mitigation
The issue has been addressed in femanager version 7.2.2, which is available from the TYPO3 extension manager, Packagist, and the TYPO3 extension repository [2][4]. Users are strongly advised to update to this version as soon as possible. Note that the vulnerability only affects installations where the invitation component is in use [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
in2code/femanagerPackagist | >= 7.0.0, < 7.2.2 | 7.2.2 |
Affected products
2- Range: >= 7.0.0, < 7.2.2
Patches
1cc5f2893613a[BUGFIX] Add missing permission check for invitation controlling
1 file changed · +8 −2
Classes/Controller/InvitationController.php+8 −2 modified@@ -32,7 +32,10 @@ class InvitationController extends AbstractFrontendController */ public function newAction(): ResponseInterface { - $this->allowedUserForInvitationNewAndCreate(); + $permissionCheck = $this->allowedUserForInvitationNewAndCreate(); + if ($permissionCheck instanceof ResponseInterface) { + return $permissionCheck; + } $this->view->assign('allUserGroups', $this->allUserGroups); $this->assignForAll(); return $this->htmlResponse(); @@ -57,7 +60,10 @@ public function createAction(User $user) $this->redirect('status'); } - $this->allowedUserForInvitationNewAndCreate(); + $permissionCheck = $this->allowedUserForInvitationNewAndCreate(); + if ($permissionCheck instanceof ResponseInterface) { + return $permissionCheck; + } $user->setDisable(true); $user = FrontendUtility::forceValues( $user,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-93j4-v838-8767ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2023-45023.yamlghsaWEB
- github.com/in2code-de/femanager/commit/cc5f2893613a6b3fd2677c457574ab587a0862caghsaWEB
- github.com/in2code-de/femanager/releases/tag/7.2.2ghsaWEB
- typo3.org/security/advisory/typo3-ext-sa-2023-008ghsaWEB
News mentions
0No linked articles in our index yet.