CVE-2022-44543

The femanager extension before 5.5.2, 6.x before 6.3.3, and 7.x before 7.0.1 for TYPO3 allows creation of frontend users in restricted groups (if there is a usergroup field on the registration form). This occurs because the usergroup.inList protection mechanism is mishandled.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://typo3.org/help/security-advisories	Vendor Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2022-015	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager::::::typo3::*
	cpe:2.3:a:in2code:femanager:7.0.0:::::typo3::

History

14 Dec 2023, 20:42

Type	Values Removed	Values Added
References	~~() https://typo3.org/help/security-advisories -~~	() https://typo3.org/help/security-advisories - Vendor Advisory
References	~~() https://typo3.org/security/advisory/typo3-ext-sa-2022-015 -~~	() https://typo3.org/security/advisory/typo3-ext-sa-2022-015 - Vendor Advisory
CPE		cpe:2.3:a:in2code:femanager:7.0.0:::::typo3:: cpe:2.3:a:in2code:femanager::::::typo3::*
CWE		NVD-CWE-Other
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

12 Dec 2023, 17:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-12 17:15

Updated : 2024-02-05 00:22

NVD link : CVE-2022-44543

Mitre link : CVE-2022-44543

CVE.ORG link : CVE-2022-44543

JSON object : View

Products Affected

in2code

femanager

CWE

NVD-CWE-Other

{"id": "CVE-2022-44543", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-12-12T17:15:07.663", "references": [{"url": "https://typo3.org/help/security-advisories", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://typo3.org/security/advisory/typo3-ext-sa-2022-015", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The femanager extension before 5.5.2, 6.x before 6.3.3, and 7.x before 7.0.1 for TYPO3 allows creation of frontend users in restricted groups (if there is a usergroup field on the registration form). This occurs because the usergroup.inList protection mechanism is mishandled."}, {"lang": "es", "value": "La extensi\u00f3n femanager anterior a 5.5.2, 6.x anterior a 6.3.3 y 7.x anterior a 7.0.1 para TYPO3 permite la creaci\u00f3n de usuarios frontend en grupos restringidos (si hay un campo de grupo de usuarios en el formulario de registro). Esto ocurre porque el mecanismo de protecci\u00f3n usergroup.inList no se maneja correctamente."}], "lastModified": "2023-12-14T20:42:42.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "E0EAE8E8-47BE-4D35-BE8C-530CC4668BF2", "versionEndExcluding": "5.5.2"}, {"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "93866A98-CFC8-4CFB-B227-CA98ADEA8FEC", "versionEndExcluding": "6.3.3", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:in2code:femanager:7.0.0:*:*:*:*:typo3:*:*", "vulnerable": true, "matchCriteriaId": "ADE46436-77C4-4E8E-A3DF-1C26D55B8F69"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}