Skip to main content

Missing Authentication for Critical Function

CVE-2023-25013

Severity High
Score 7.5/10

Summary

An issue was discovered in the femanager extension before 5.5.3, 6.0.x before 6.3.4, and 7.0.x before 7.1.0 for TYPO3. Missing access checks in the "InvitationController" allow an unauthenticated user to set the password of all frontend users.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-306 - Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Advisory Timeline

  • Published