TYPO3 Frontend User Registration Extension Broken Access Control Vulnerability

A broken access control vulnerability has been identified in the TYPO3 extension 'Frontend User Registration' (sf_register), specifically in versions 14.0.0 to 14.0.1 and 13.2.3 and below. The issue arises because the create and edit flows do not properly restrict user properties or enforce access control on frontend user group assignments. This lack of restriction allows an attacker to assign arbitrary frontend user groups to newly registered or edited accounts, thereby gaining unauthorized access to content and functionalities reserved for privileged frontend user groups.

Impact

Exploitation of this vulnerability allows for unauthorized assignment of frontend user groups, granting access to restricted content and functionalities based on those groups.

Remediation

Users of the 'Frontend User Registration' extension are advised to update to version 14.0.2 or 13.2.4, available through the TYPO3 extension manager, Packagist, or by downloading the ZIP files from the TYPO3 extensions website.