Medium severityGHSA Advisory· Published Dec 13, 2023

Broken Access Control in extension "femanager"

CVE-2023-50459

Description

The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts.

Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
in2code/femanagerPackagist	>= 7.0.0, < 7.2.3	7.2.3

Affected products

Packagist/FemanagerGHSA
Range: >= 7.0.0, < 7.2.3
Package: https://packagist.org/packages/in2code/femanager

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000