Packagist (Composer) package
in2code/femanager
pkg:composer/in2code/femanager
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-7900 | — | < 6.4.2 | 6.4.2 | Jul 22, 2025 | The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0 | ||
| CVE-2025-48202 | Med | 5.3 | >= 8.0.0, < 8.2.2 | 8.2.2 | May 21, 2025 | The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference. | |
| CVE-2023-50459 | med | — | >= 7.0.0, < 7.2.3 | 7.2.3 | Dec 13, 2023 | The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of | |
| CVE-2022-44543 | — | >= 7.0.0, < 7.0.1 | 7.0.1 | Dec 12, 2023 | The femanager extension before 5.5.2, 6.x before 6.3.3, and 7.x before 7.0.1 for TYPO3 allows creation of frontend users in restricted groups (if there is a usergroup field on the registration form). This occurs because the usergroup.inList protection mechanism is mishandled. | ||
| CVE-2023-45023 | med | — | >= 7.0.0, < 7.2.2 | 7.2.2 | Oct 4, 2023 | femanager fails to check access permissions for the invitation component. Depending on the configuration of the plugin, a remote user can create frontend user accounts with access to configured frontend groups. | |
| CVE-2023-25014 | — | < 5.5.3 | 5.5.3 | Feb 2, 2023 | An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users. | ||
| CVE-2023-25013 | — | < 5.5.3 | 5.5.3 | Feb 2, 2023 | An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users. | ||
| CVE-2021-36787 | — | < 5.5.1 | 5.5.1 | Aug 13, 2021 | The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document. | ||
| CVE-2014-6292 | — | < 1.0.9 | 1.0.9 | Oct 3, 2014 | The femanager extension before 1.0.9 for TYPO3 allows remote frontend users to modify or delete the records of other frontend users via unspecified vectors. |
- CVE-2025-7900Jul 22, 2025affected < 6.4.2fixed 6.4.2
The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0
- affected >= 8.0.0, < 8.2.2fixed 8.2.2
The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference.
- affected >= 7.0.0, < 7.2.3fixed 7.2.3
The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of
- CVE-2022-44543Dec 12, 2023affected >= 7.0.0, < 7.0.1fixed 7.0.1
The femanager extension before 5.5.2, 6.x before 6.3.3, and 7.x before 7.0.1 for TYPO3 allows creation of frontend users in restricted groups (if there is a usergroup field on the registration form). This occurs because the usergroup.inList protection mechanism is mishandled.
- affected >= 7.0.0, < 7.2.2fixed 7.2.2
femanager fails to check access permissions for the invitation component. Depending on the configuration of the plugin, a remote user can create frontend user accounts with access to configured frontend groups.
- CVE-2023-25014Feb 2, 2023affected < 5.5.3fixed 5.5.3
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.
- CVE-2023-25013Feb 2, 2023affected < 5.5.3fixed 5.5.3
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.
- CVE-2021-36787Aug 13, 2021affected < 5.5.1fixed 5.5.1
The femanager extension before 5.5.1 and 6.x before 6.3.1 for TYPO3 allows XSS via a crafted SVG document.
- CVE-2014-6292Oct 3, 2014affected < 1.0.9fixed 1.0.9
The femanager extension before 1.0.9 for TYPO3 allows remote frontend users to modify or delete the records of other frontend users via unspecified vectors.