- Description
- An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Severity
- HIGH
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*",
"vulnerable": true,
"matchCriteriaId": "BB2CBCCA-46DF-4A53-A863-E32620C4799E",
"versionEndExcluding": "5.5.3"
},
{
"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*",
"vulnerable": true,
"matchCriteriaId": "2580AA87-29CC-4C22-9323-89433C175A67",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "6.0.0"
},
{
"criteria": "cpe:2.3:a:in2code:femanager:*:*:*:*:*:typo3:*:*",
"vulnerable": true,
"matchCriteriaId": "7233E443-0FB0-40F1-A64A-50678568077B",
"versionEndExcluding": "7.1.0",
"versionStartIncluding": "7.0.0"
}
],
"operator": "OR"
}
]
}
]