The extension allows by default to upload SVG files when a logged in frontend user uploads a new profile image. This may lead to Cross-Site Scripting, when the uploaded SVG image is used as is on the website.

Note: If SVG uploads are required, it is recommended to use the TYPO3 extension svg_sanitizer (added to TYPO3 core since versions 9.5.28, 10.4.18 and 11.3.0) to prevent upload of malicious SVG files or to set up a strict Content Security Policy for the destination folder of uploaded images.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-36787
• in2code-de/femanager@70f873c
• https://extensions.typo3.org/extension/femanager/
• https://github.com/in2code-de/femanager/releases/tag/6.3.1
• https://typo3.org/security/advisory/typo3-ext-sa-2021-010
• https://typo3.org/help/security-advisories/security
• http://packetstormsecurity.com/files/165675/TYPO3-femanager-6.3.0-Cross-Site-Scripting.html
• http://seclists.org/fulldisclosure/2022/Jan/53