GHSA-v348-vr4q-fv9pMedium
TYPO3 sf_register extension allows unauthorized assignment of frontend user groups
🔗 CVE IDs covered (1)
📋 Description
The create and edit flows in the TYPO3 extension sf_register do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups.
🎯 Affected products2
- composer/evoweb/sf-register:>= 14.0.0, < 14.0.2
- composer/evoweb/sf-register:< 13.2.4