CVE-2025-7900

The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://typo3.org/security/advisory/typo3-ext-sa-2025-010	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::

History

07 Oct 2025, 20:32

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Typo3 Typo3 typo3
Summary		(es) La extensión femanager para TYPO3 permite la Referencia Directa a Objetos Insegura, lo que resulta en la modificación no autorizada de datos de usuario. Este problema afecta a las versiones 6.4.1 y anteriores de femanager, de la 7.0.0 a la 7.5.2 y de la 8.0.0 a la 8.3.0.
CPE		cpe:2.3:a:typo3:typo3::::::::
References	~~() https://typo3.org/security/advisory/typo3-ext-sa-2025-010 -~~	() https://typo3.org/security/advisory/typo3-ext-sa-2025-010 - Vendor Advisory

22 Jul 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-22 11:15

Updated : 2025-10-07 20:32

NVD link : CVE-2025-7900

Mitre link : CVE-2025-7900

CVE.ORG link : CVE-2025-7900

JSON object : View

Products Affected

typo3

typo3

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-7900", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-22T11:15:24.340", "references": [{"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-010", "tags": ["Vendor Advisory"], "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0"}, {"lang": "es", "value": "La extensi\u00f3n femanager para TYPO3 permite la Referencia Directa a Objetos Insegura, lo que resulta en la modificaci\u00f3n no autorizada de datos de usuario. Este problema afecta a las versiones 6.4.1 y anteriores de femanager, de la 7.0.0 a la 7.5.2 y de la 8.0.0 a la 8.3.0."}], "lastModified": "2025-10-07T20:32:46.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F05BEC96-53F2-4B39-A6CD-985239C7C871", "versionEndIncluding": "6.4.1"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BFD6DF63-E0A8-4869-B596-D47DB4183B3C", "versionEndIncluding": "7.5.2", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCBE0E0B-4335-47F0-9D34-A51A14B3BFB9", "versionEndIncluding": "8.3.0", "versionStartIncluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a"}