CVE-2023-50459: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2023-50459) affects the TYPO3 extension 'femanager' versions 7.0.0 through 7.2.2. This broken access control vulnerability was discovered and disclosed on December 13, 2023. The affected software component is a third-party extension that is not part of the TYPO3 default installation (TYPO3 Advisory).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 base score of 5.4 (Moderate severity). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating that the vulnerability requires network access, low attack complexity, low privileges, and no user interaction. The scope is unchanged, with low impact on both confidentiality and integrity, but no impact on availability (GitHub Advisory).

The vulnerability allows authenticated frontend users to bypass access controls and edit or delete data of various frontend user accounts. Additionally, authenticated backend users can perform unauthorized actions including user logout, user confirmation, user refusal, and resending user confirmation for any frontend user in the system (TYPO3 Advisory).

Users are advised to update to version 7.2.3 of the femanager extension as soon as possible. The updated version is available through the TYPO3 extension manager, packagist, and can be downloaded directly from the TYPO3 extension repository (TYPO3 Advisory).