CVE-2023-25014

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://typo3.org/help/security-advisories	Third Party Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2023-001	Patch Third Party Advisory
https://typo3.org/help/security-advisories	Third Party Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2023-001	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager::::::typo3::*

History

21 Nov 2024, 07:48

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 8.6
References	~~() https://typo3.org/help/security-advisories - Third Party Advisory~~	() https://typo3.org/help/security-advisories - Third Party Advisory
References	~~() https://typo3.org/security/advisory/typo3-ext-sa-2023-001 - Patch, Third Party Advisory~~	() https://typo3.org/security/advisory/typo3-ext-sa-2023-001 - Patch, Third Party Advisory

Information

Published : 2023-02-02 01:15

Updated : 2024-11-21 07:48

NVD link : CVE-2023-25014

Mitre link : CVE-2023-25014

CVE.ORG link : CVE-2023-25014

JSON object : View

Products Affected

in2code

femanager

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2023-25014", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-02-02T01:15:08.670", "references": [{"url": "https://typo3.org/help/security-advisories", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://typo3.org/security/advisory/typo3-ext-sa-2023-001", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://typo3.org/help/security-advisories", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://typo3.org/security/advisory/typo3-ext-sa-2023-001", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users."}], "lastModified": "2024-11-21T07:48:56.013", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "BB2CBCCA-46DF-4A53-A863-E32620C4799E", "versionEndExcluding": "5.5.3"}, {"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "2580AA87-29CC-4C22-9323-89433C175A67", "versionEndExcluding": "6.3.4", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "7233E443-0FB0-40F1-A64A-50678568077B", "versionEndExcluding": "7.1.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}