CVE-2025-7900: 
PHP vulnerability analysis and mitigation

The femanager extension for TYPO3 contains an Insecure Direct Object Reference vulnerability (CVE-2025-7900) that was disclosed on July 22, 2025. This vulnerability affects femanager versions 6.4.1 and below, 7.0.0 to 7.5.2, and 8.0.0 to 8.3.0. The issue allows authenticated frontend users with access to the "Edit" plugin to modify other frontend user records through unauthorized data manipulation (TYPO3 Advisory).

The vulnerability stems from improper validation of the __identity parameter when saving user-submitted data. While the extension attempts to log incidents of parameter manipulation through Extbase persistence mechanisms, a flaw in handling the manipulated user object results in unintended persistence of changes. The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium) with the vector string AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N and is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (TYPO3 Advisory).

The vulnerability allows authenticated frontend users with access to the "Edit" plugin to arbitrarily modify other frontend user records by submitting manipulated data. This represents a significant authorization bypass that could lead to unauthorized modification of user data (TYPO3 Advisory).

Updated versions 6.4.2, 7.5.3, and 8.3.1 have been released to address this vulnerability. Users are strongly advised to update their femanager extension as soon as possible. The updates are available through the TYPO3 extension manager, packagist, and direct download links (TYPO3 Advisory).