CVE-2023-45023: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in the TYPO3 extension 'femanager' (CVE-2023-45023) that was disclosed on October 4, 2023. The vulnerability affects versions 7.0.0 through 7.2.1 of the extension and is classified as a Broken Access Control issue with medium severity. The affected package is identified as 'in2code/femanager' in the Composer package management system (TYPO3 Advisory, GitHub Advisory).

The vulnerability stems from the extension's failure to properly check access permissions for the invitation component. The issue is specifically related to missing permission checks in the invitation controlling functionality. This security flaw has been assigned a CVSS score suggesting medium severity with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C and is categorized under CWE-284 (Broken Access Control) (TYPO3 Advisory).

When exploited, this vulnerability allows remote users to create frontend user accounts with access to configured frontend groups, potentially leading to unauthorized access. The impact is contingent on the configuration of the plugin, specifically affecting websites where the invitation component of the extension is configured and actively used (TYPO3 Advisory).

The vulnerability has been patched in version 7.2.2 of the femanager extension. Users are strongly advised to update to this version as soon as possible. The fix can be obtained through the TYPO3 extension manager, Packagist, or by downloading directly from the TYPO3 extension repository (TYPO3 Advisory, GitHub Release).