Login Sign Up

CVE-2025-7900

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

The femanager extension for TYPO3 contains an Insecure Direct Object Reference vulnerability that allows attackers to modify user data without proper authorization. This affects websites running vulnerable versions of the femanager extension, potentially compromising user accounts and data integrity.

💻 Affected Systems

Products:
  • TYPO3 femanager extension
Versions: femanager 6.4.1 and below, 7.0.0 to 7.5.2, 8.0.0 to 8.3.0
Operating Systems: Any OS running TYPO3
Default Config Vulnerable: ⚠️ Yes
Notes: Affects TYPO3 installations with femanager extension enabled and configured for user management.

📦 What is this software?

Typo3 by Typo3

View all CVEs affecting Typo3 →

Typo3 by Typo3

View all CVEs affecting Typo3 →

Typo3 by Typo3

View all CVEs affecting Typo3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify any user's profile data, escalate privileges, or take over accounts by changing email addresses and passwords.

🟠

Likely Case

Unauthorized modification of user profiles, potentially leading to account compromise or data manipulation.

🟢

If Mitigated

Limited impact with proper access controls and input validation in place.

🌐 Internet-Facing: HIGH - Web applications with femanager are typically internet-facing and accessible to attackers.
🏢 Internal Only: MEDIUM - Internal applications could still be vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some level of access but is relatively straightforward once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: femanager 6.4.2, 7.5.3, 8.3.1

Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2025-010

Restart Required: No

Instructions:

1. Update femanager extension via TYPO3 Extension Manager or Composer. 2. For version 6.x: Update to 6.4.2. 3. For version 7.x: Update to 7.5.3. 4. For version 8.x: Update to 8.3.1. 5. Clear TYPO3 caches after update.

🔧 Temporary Workarounds

Disable femanager extension

all

Temporarily disable the femanager extension until patching is possible.

typo3cms extension:deactivate femanager

Restrict access to user management

all

Implement IP-based restrictions or authentication requirements for user profile modification endpoints.

🧯 If You Can't Patch

  • Implement additional server-side authorization checks for all user data modification requests.
  • Enable detailed logging of all user profile modification attempts and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check femanager extension version in TYPO3 Extension Manager or via composer show inkl/femanager.

Check Version:

composer show inkl/femanager | grep version

Verify Fix Applied:

Verify femanager version is 6.4.2, 7.5.3, or 8.3.1 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual user profile modifications, especially from unexpected IP addresses or user accounts.

Network Indicators:

  • HTTP POST requests to user profile update endpoints with manipulated user IDs.

SIEM Query:

web_access_logs WHERE (uri CONTAINS '/femanager/' AND method = 'POST') AND (user_agent NOT IN expected_user_agents OR src_ip NOT IN allowed_ips)

📊 Metadata

CVE ID: CVE-2025-7900
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-639
EPSS Score: 0.04% exploit probability (12.9th percentile)
Published: July 22, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7900, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)