Miggo Logo
Miggo Vulnerability Database
CVE-2025-48202

CVE-2025-48202: The femanager TYPO3 extension allows Insecure Direct Object Reference

4.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-48202
GHSA ID
GHSA-xxwr-wv9g-7jw3
EPSS Score
0.12216%
CWE
CWE-284
Published
5/21/2025
Updated
5/21/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
Package NameEcosystemVulnerable VersionsFirst Patched Version
in2code/femanagercomposer>= 8.0.0, < 8.2.28.2.2
in2code/femanagercomposer>= 7.0.0, < 7.4.27.4.2
in2code/femanagercomposer>= 6.0.0, < 6.4.16.4.1
in2code/femanagercomposer>= 5.5.0, < 5.5.55.5.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description clearly states that the newAction of the newController is vulnerable due to a user parameter. The provided commit 54851f8f60254bd8060bdf7bc16d56f4de7bd828 directly addresses this by removing the User $user = null parameter from the newAction method in Classes/Controller/NewController.php. The commit message "[SECURITY] Don't pass User to newAction" further confirms this. The patch shows the removal of the $user parameter and its usage within the function, which is direct evidence of the vulnerability and its fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ins**ur* *ir**t O*j**t R***r*n** (I*OR) in t** **m*n***r TYPO* *xt*nsion *llows *tt**k*rs to vi*w *ront*n* us*r **t* vi* * us*r p*r*m*t*r in t** n*w**tion o* t** n*w*ontroll*r.

Reasoning

T** vuln*r**ility **s*ription *l**rly st*t*s t**t t** `n*w**tion` o* t** `n*w*ontroll*r` is vuln*r**l* *u* to * `us*r` p*r*m*t*r. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y r*movin* t** `Us*r $us*r = nul