Medium severityGHSA Advisory· Published Dec 13, 2023
Broken Access Control in extension "femanager"
CVE-2023-50459
Description
The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts.
Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
in2code/femanagerPackagist | >= 7.0.0, < 7.2.3 | 7.2.3 |
Affected products
2- Range: >= 7.0.0, < 7.2.3
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.