Broken Access Control in extension "femanager"
Moderate severity
GitHub Reviewed
Published
Dec 13, 2023
to the GitHub Advisory Database
•
Updated Dec 13, 2023
Description
Published to the GitHub Advisory Database
Dec 13, 2023
Reviewed
Dec 13, 2023
Last updated
Dec 13, 2023
The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts.
Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.
References