VulnerableCode Package Details - pkg:composer/in2code/femanager@7.2.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-vpgv-cr97-kffs Aliases: CVE-2025-7900 GHSA-rc5f-3hfv-jxp2	The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0	7.5.3 Affected by 0 other vulnerabilities. 8.3.1 Affected by 0 other vulnerabilities.
VCID-wumy-ggkp-cugg Aliases: CVE-2025-48202 GHSA-xxwr-wv9g-7jw3	The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference.	7.4.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.2.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-vpgv-cr97-kffs
Aliases:
CVE-2025-7900
GHSA-rc5f-3hfv-jxp2

The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0

7.5.3
Affected by 0 other vulnerabilities.

8.3.1
Affected by 0 other vulnerabilities.

VCID-wumy-ggkp-cugg
Aliases:
CVE-2025-48202
GHSA-xxwr-wv9g-7jw3

The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference.

7.4.2
Affected by 1 other vulnerability.

8.2.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-2wst-vxu9-73ce	Broken Access Control in extension "femanager" The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.	CVE-2023-50459 GHSA-4xp5-hr35-84cx

Vulnerability

Summary

Aliases

VCID-2wst-vxu9-73ce

Broken Access Control in extension "femanager" The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.

CVE-2023-50459
GHSA-4xp5-hr35-84cx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:27:39.528597+00:00	GHSA Importer	Fixing	VCID-2wst-vxu9-73ce	https://github.com/advisories/GHSA-4xp5-hr35-84cx	38.6.0
2026-06-12T20:07:41.930950+00:00	GitLab Importer	Affected by	VCID-vpgv-cr97-kffs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/in2code/femanager/CVE-2025-7900.yml	38.6.0
2026-06-12T20:02:09.659456+00:00	GitLab Importer	Affected by	VCID-wumy-ggkp-cugg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/in2code/femanager/CVE-2025-48202.yml	38.6.0
2026-06-12T15:47:42.037553+00:00	GitLab Importer	Fixing	VCID-2wst-vxu9-73ce	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/in2code/femanager/CVE-2023-50459.yml	38.6.0
2026-06-12T07:57:54.353718+00:00	GithubOSV Importer	Fixing	VCID-2wst-vxu9-73ce	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-4xp5-hr35-84cx/GHSA-4xp5-hr35-84cx.json	38.6.0