Moderate severityNVD Advisory· Published Jul 22, 2025· Updated Jul 22, 2025

Insecure Direct Object Reference in extension "femanager" (femanager)

CVE-2025-7900

Description

The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The femanager TYPO3 extension suffers from Insecure Direct Object Reference, allowing authenticated users to modify other frontend user records via manipulated __identity parameter.

Description

The femanager extension for TYPO3 is affected by an Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2025-7900. The root cause lies in improper handling of the __identity parameter during user profile update operations. While the extension attempts to detect spoofing of this parameter, a side effect of the logging mechanism (which leverages Extbase persistence) unintentionally persists changes made to a manipulated user object, thereby bypassing intended access controls [1][4].

Exploitation

This vulnerability can be exploited by an authenticated frontend user who has access to the 'Edit' plugin provided by femanager. The attacker only needs to modify the __identity parameter in the update request to point to another existing frontend user record. No special privileges beyond a standard user account are required; the exploit relies on a logical flaw in the persistence layer during validation [2][4]. The commit addressing this issue introduces stricter checks before any logging or persistence occurs, preventing the unauthorized save [2].

Impact

If successfully exploited, an attacker gains the ability to modify arbitrary frontend user records, including altering profile data of other users. This could lead to unauthorized changes to email addresses, passwords, or other sensitive fields, depending on the extension's configuration. The vulnerability is classified as medium severity (CVSS 4.0 base score 5.3) [4].

Mitigation

Updated versions have been released: 6.4.2, 7.5.3, and 8.3.1. Users are strongly advised to update their femanager installation immediately via the TYPO3 extension manager or by downloading the patched versions from the official repository [4]. No workaround is mentioned, so the update is the recommended course of action.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
in2code/femanagerPackagist	< 6.4.2	6.4.2
in2code/femanagerPackagist	>= 7.0.0, < 7.5.3	7.5.3
in2code/femanagerPackagist	>= 8.0.0, < 8.3.1	8.3.1

Affected products

In2code De/Femanagerllm-fuzzy
Range: <=6.4.1, >=7.0.0 <=7.5.2, >=8.0.0 <=8.3.0
TYPO3/Extension "femanager"v5
Range: 8.0.0

Patches

9bd9fbded4cf

[SECURITY] Avoid unintended persistence

https://github.com/in2code-de/femanagerStefan BusemannJul 22, 2025via ghsa

commit

5 files changed · +21 −9

Classes/Controller/EditController.php+9 −9 modified

@@ -57,16 +57,16 @@ public function editAction(): ResponseInterface
     public function updateAction(User $user, string $captcha = null)
     {
         $currentUser = UserUtility::getCurrentUser();
-        $userValues = $this->request->hasArgument('user') ? $this->request->getArgument('user') : null;
-        $token = $this->request->hasArgument('token') ? $this->request->getArgument('token') : null;
+        $userValues = $this->request->getArgument('user') ?? [];
+        $token = $this->request->getArgument('token') ?? null;
+        $identity = (int)($userValues['__identity'] ?? 0);
+        $isSpoof = $this->isSpoof($currentUser, $identity, $token);
+
+        if (!$currentUser instanceof User || $identity === 0 || $token === null || $isSpoof) {
+            $logStatus = $isSpoof ? Log::STATUS_PROFILEUPDATEATTEMPTEDSPOOF : Log::STATUS_PROFILEUPDATEREFUSEDSECURITY;
+            $logContext = $isSpoof ? $currentUser : $user;
+            $this->logUtility->log($logStatus, $logContext);
 
-        if ($currentUser === null ||
-            empty($userValues['__identity']) ||
-            (int)$userValues['__identity'] === null ||
-            $token === null ||
-            $this->isSpoof($currentUser, (int)$userValues['__identity'], $token)
-        ) {
-            $this->logUtility->log(Log::STATUS_PROFILEUPDATEREFUSEDSECURITY, $user);
             $this->addFlashMessage(
                 LocalizationUtility::translateByState(Log::STATUS_PROFILEUPDATEREFUSEDSECURITY),
                 '',

Classes/Domain/Model/Log.php+1 −0 modified

@@ -23,6 +23,7 @@ class Log extends AbstractEntity
     final public const STATUS_PROFILEUPDATEREQUEST = 204;
     final public const STATUS_PROFILEUPDATEREFUSEDSECURITY = 205;
     final public const STATUS_PROFILEUPDATEIMAGEDELETE = 206;
+    final public const STATUS_PROFILEUPDATEATTEMPTEDSPOOF = 207;
     final public const STATUS_PROFILEDELETE = 301;
     final public const STATUS_INVITATIONPROFILECREATED = 401;
     final public const STATUS_INVITATIONPROFILEDELETEDUSER = 402;

Configuration/TCA/tx_femanager_domain_model_log.php+5 −0 modified

@@ -208,6 +208,11 @@
                         'tx_femanager_domain_model_log.state.206',
                         Log::STATUS_PROFILEUPDATEIMAGEDELETE,
                     ],
+                    [
+                        'LLL:EXT:femanager/Resources/Private/Language/locallang_db.xlf:' .
+                        'tx_femanager_domain_model_log.state.207',
+                        Log::STATUS_PROFILEUPDATEATTEMPTEDSPOOF,
+                    ],
                     [
                         'LLL:EXT:femanager/Resources/Private/Language/locallang_db.xlf:' .
                         'tx_femanager_domain_model_log.state.300',

Resources/Private/Language/locallang_db.xlf+3 −0 modified

@@ -174,6 +174,9 @@
 			<trans-unit id="tx_femanager_domain_model_log.state.206">
 				<source>Image deleted</source>
 			</trans-unit>
+			<trans-unit id="tx_femanager_domain_model_log.state.207">
+				<source>Attempted to spoof profile</source>
+			</trans-unit>
 			<trans-unit id="tx_femanager_domain_model_log.state.300">
 				<source>Delete</source>
 			</trans-unit>

Resources/Private/Language/locallang.xlf+3 −0 modified

@@ -162,6 +162,9 @@
 			<trans-unit id="tx_femanager_domain_model_log.state.206">
 				<source>Image deleted</source>
 			</trans-unit>
+			<trans-unit id="tx_femanager_domain_model_log.state.207">
+				<source>Attempted to spoof profile</source>
+			</trans-unit>
 			<trans-unit id="tx_femanager_domain_model_log.state.300">
 				<source>Delete</source>
 			</trans-unit>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rc5f-3hfv-jxp2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-7900ghsaADVISORY
github.com/in2code-de/femanager/commit/9bd9fbded4cf31f69bfe03c55d406e79050f8069ghsaWEB
typo3.org/security/advisory/typo3-ext-sa-2025-010ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000