CVE-2025-48202: 
PHP vulnerability analysis and mitigation

The femanager extension through version 8.2.1 for TYPO3 contains an Insecure Direct Object Reference vulnerability, discovered and disclosed on May 20, 2025. The vulnerability affects multiple versions including 5.5.0-5.5.4, 6.0.0-6.4.0, 7.0.0-7.4.1, and 8.0.0-8.2.1 (TYPO3 Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-425 (Direct Request) and involves unauthorized access to user data through a parameter manipulation in the newController component. Specifically, a superfluous parameter in the newAction of the newController allows unauthenticated access to frontend user data (TYPO3 Advisory, Wiz Analysis).

The vulnerability allows unauthorized access to frontend user data, potentially exposing sensitive user information to unauthenticated attackers. The impact is primarily focused on confidentiality, with no direct effect on system integrity or availability (TYPO3 Advisory).

Updated versions (5.5.5, 6.4.1, 7.4.2, and 8.2.2) have been released to address this vulnerability. Users are strongly advised to update their femanager extension as soon as possible. The patches are available through the TYPO3 extension manager, packagist, and direct download links. Users should also follow the recommendations provided in the TYPO3 Security Guide (TYPO3 Advisory).