CVE-2023-25013: 
PHP vulnerability analysis and mitigation

A critical security vulnerability was discovered in the femanager extension for TYPO3, identified as CVE-2023-25013. The vulnerability affects versions before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0. The issue was disclosed on January 31, 2023, and involves missing access checks in the InvitationController component that could allow unauthorized access to user accounts (TYPO3 Advisory).

The vulnerability is classified as a Broken Access Control issue with a severity rating of High. The CVSS score for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C. The security flaw specifically exists in the InvitationController component, where missing access checks allow an unauthenticated user with a valid invitation link to manipulate frontend user accounts (TYPO3 Advisory).

The vulnerability allows an unauthenticated user with a valid invitation link to set the password of all frontend users, potentially leading to unauthorized access to multiple user accounts. The issue is only exploitable if the invitation component of the extension is configured and used on the website (TYPO3 Advisory).

The vulnerability has been patched in versions 5.5.3, 6.3.4, and 7.1.0 of the femanager extension. Users are strongly advised to update to these versions as soon as possible. The updated versions can be obtained through the TYPO3 extension manager, packagist, or directly from the TYPO3 extension repository (TYPO3 Advisory).