Improper Access Control
CVE-2022-44543
Summary
The femanager extension prior to versions 5.5.2, 6.x prior to 6.3.3, and 7.x prior to 7.0.1 for TYPO3 allows creation of frontend users in restricted groups (if there is a usergroup field on the registration form). This occurs because the "usergroup.inList" protection mechanism is mishandled.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-284 - Improper Access Control
Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.
References
Advisory Timeline
- Published