Unauthenticated User Password Manipulation in TYPO3 femanager Extension

Unauthenticated User Password Manipulation in TYPO3 femanager Extension

CVE-2023-25013 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.

Learn more about our User Device Pen Test.