CVE-2022-47407 is a vulnerability identified in the fp_masterquiz (also known as Master-Quiz) extension for the TYPO3 content management system. This extension is used to create and manage quizzes within TYPO3-powered websites. The vulnerability affects versions prior to 2.2.1 and 3.x versions before 3.5.1. The core issue is an authorization flaw (CWE-284) that allows an attacker to continue a quiz session initiated by another user. Exploiting this flaw, the attacker can view the other user's quiz answers and modify them. This implies a failure in properly enforcing access controls to quiz sessions, allowing unauthorized access and modification of user-specific data. The vulnerability does not require known exploits in the wild as of the publication date, and no patch links were provided, indicating that remediation may require upgrading to the fixed versions or applying vendor-supplied patches once available. The vulnerability impacts confidentiality and integrity of user data within the quiz module but does not directly affect system availability or broader system integrity beyond the quiz context. The attack vector likely requires the attacker to have some level of access to the TYPO3 installation, such as being a logged-in user or having access to the quiz interface, but the exact authentication requirements are not specified. Given the nature of the vulnerability, it is primarily a logical access control flaw rather than a remote code execution or privilege escalation issue.

For European organizations using TYPO3 with the fp_masterquiz extension, this vulnerability poses a risk to the confidentiality and integrity of user data collected via quizzes. Educational institutions, training providers, and businesses that rely on quizzes for assessments, certifications, or user engagement could see unauthorized disclosure and manipulation of quiz results. This could undermine trust in the platform, lead to data privacy concerns under GDPR, and potentially affect decision-making processes based on quiz outcomes. While the vulnerability does not directly compromise the entire TYPO3 system or underlying infrastructure, the ability to alter quiz answers could be exploited to falsify assessments or certifications, impacting organizational reputation and compliance. Since TYPO3 is widely used in Europe, especially in Germany and other central European countries, organizations in these regions are more likely to be affected. The lack of known exploits in the wild reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential abuse.

Organizations should immediately identify TYPO3 installations using the fp_masterquiz extension and verify the version in use. Upgrading to version 2.2.1 or later for the 2.x branch, or 3.5.1 or later for the 3.x branch, is the primary mitigation step. If upgrading is not immediately possible, organizations should implement strict access controls around the quiz functionality, including limiting quiz access to authenticated and authorized users only. Additionally, monitoring and logging quiz session activities can help detect unauthorized access or modifications. Reviewing and hardening TYPO3 user permissions to ensure minimal necessary access to quiz modules is recommended. Since no patches were linked, organizations should stay alert for vendor updates or community patches. Finally, educating users and administrators about the risk and encouraging prompt application of updates will reduce exposure.