CVE-2025-7900 in femanager Extension
Summary
by MITRE • 07/22/2025
The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/08/2025
The femanager extension for TYPO3 presents a critical security vulnerability classified as insecure direct object reference that enables unauthorized modification of user data. This vulnerability exists within the extension's handling of user management operations, where direct object references are used without proper authorization checks or input validation. The flaw allows attackers to manipulate object identifiers directly within URLs or request parameters to access or modify user accounts they should not have access to, fundamentally undermining the application's authentication and authorization mechanisms. The vulnerability affects multiple version ranges including femanager 6.4.1 and below, 7.0.0 through 7.5.2, and 8.0.0 through 8.3.0, indicating a widespread issue across several major release lines of the extension.
The technical implementation of this vulnerability stems from inadequate access control validation within the femanager extension's user management functions. When users interact with the extension's administrative interfaces or API endpoints, the system relies on direct object references such as user IDs or record identifiers passed through the application's request parameters. These identifiers are not properly validated against the authenticated user's permissions or ownership rights, allowing an attacker to simply modify these values to target different user accounts. The vulnerability manifests when the extension processes requests without verifying that the requesting user has legitimate authorization to modify the specified object, creating a direct path for privilege escalation and unauthorized data manipulation.
The operational impact of this vulnerability is severe and multifaceted, potentially enabling attackers to compromise user accounts, modify personal information, reset passwords, or even delete user records entirely. An attacker could exploit this flaw to access sensitive user data, escalate privileges within the TYPO3 system, or conduct data integrity attacks that could affect the entire user management ecosystem. The vulnerability particularly impacts organizations relying on femanager for user registration, authentication, or administrative functions, as it allows unauthorized access to user databases without proper authentication. This issue can result in significant data breaches, compliance violations, and potential system compromise that could affect the broader TYPO3 installation and associated services.
Organizations should immediately upgrade to femanager versions that have addressed this vulnerability, as the affected versions represent a critical security risk. The recommended mitigation strategy includes implementing proper input validation, enforcing strict access control checks, and ensuring that all object references are validated against authenticated user permissions before processing. Security teams should also implement monitoring for unusual user management activities and consider implementing additional authentication layers or API rate limiting to prevent automated exploitation attempts. This vulnerability aligns with CWE-284 (Improper Access Control) and may be categorized under ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) as attackers could leverage compromised user accounts to further infiltrate systems, making it essential for organizations to conduct comprehensive security assessments and review their access control configurations across all TYPO3 extensions.