GHSA-v348-vr4q-fv9pMedium

TYPO3 sf_register extension allows unauthorized assignment of frontend user groups

Published
May 19, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

The create and edit flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.

🎯 Affected products2

  • composer/evoweb/sf-register:>= 14.0.0, < 14.0.2
  • composer/evoweb/sf-register:< 13.2.4

🔗 References (4)