CVE-2023-25013
📋 TL;DR
This vulnerability in the femanager extension for TYPO3 allows unauthenticated attackers to reset passwords for all frontend users due to missing access controls in the InvitationController. It affects TYPO3 sites using vulnerable versions of the femanager extension, potentially compromising user accounts and site security.
💻 Affected Systems
- femanager extension for TYPO3
📦 What is this software?
Femanager by In2code
Femanager by In2code
Femanager by In2code
⚠️ Risk & Real-World Impact
Worst Case
An attacker could reset passwords for all frontend users, leading to account takeovers, unauthorized access to sensitive data, and potential privilege escalation or site defacement.
Likely Case
Attackers exploit this to gain unauthorized access to user accounts, steal personal information, or disrupt user services by locking them out.
If Mitigated
With proper access controls and patching, the risk is minimized, but residual threats may exist if other vulnerabilities are present.
🎯 Exploit Status
Exploitation is straightforward due to missing access checks, making it easy for attackers to craft requests without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to femanager version 5.5.3, 6.3.4, or 7.1.0 or later
Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2023-001
Restart Required: No
Instructions:
1. Check current femanager version via TYPO3 extension manager. 2. Update to the patched version using Composer or manual download from the TYPO3 Extension Repository. 3. Clear TYPO3 caches after update.
🔧 Temporary Workarounds
Disable femanager extension
allTemporarily disable the femanager extension to prevent exploitation until patching is possible.
In TYPO3 backend, go to Extensions > Manage Extensions, find femanager, and deactivate it.
Restrict access to InvitationController
linuxUse web server rules or TYPO3 configuration to block unauthenticated access to the vulnerable controller endpoints.
Add deny rules in .htaccess for Apache or nginx config to block paths related to femanager invitation functions.
🧯 If You Can't Patch
- Implement network-level controls such as WAF rules to block suspicious requests targeting the femanager extension.
- Monitor logs for unauthorized password reset attempts and enforce strong authentication policies for frontend users.
🔍 How to Verify
Check if Vulnerable:
Check the femanager extension version in TYPO3 backend under Extensions > Manage Extensions; if version is before 5.5.3, 6.3.4, or 7.1.0, it is vulnerable.Check Version:
In TYPO3, use the extension manager or run: php typo3/sysext/core/bin/typo3 extension:list | grep femanagerVerify Fix Applied:
After updating, confirm the femanager version is 5.5.3, 6.3.4, or 7.1.0 or later in the extension manager.📡 Detection & Monitoring
Log Indicators:
- Log entries showing unauthenticated requests to femanager InvitationController endpoints, especially password reset attempts.
Network Indicators:
- Unusual HTTP POST requests to paths containing 'femanager' or 'invitation' from unauthenticated IP addresses.
SIEM Query:
Example: source="web_logs" AND (url="*femanager*invitation*" OR method="POST" AND status="200" AND user_agent NOT IN authenticated_users)