CVE-2025-7900 is a medium severity vulnerability identified in the femanager extension for the TYPO3 content management system. The vulnerability is classified under CWE-639, which refers to Authorization Bypass Through User-Controlled Key. Specifically, this issue arises from an Insecure Direct Object Reference (IDOR) flaw that allows unauthorized users to modify user data without proper authorization checks. The affected versions include femanager 6.4.1 and below, 7.0.0 through 7.5.2, and 8.0.0 through 8.3.0. The vulnerability enables attackers to manipulate user-controlled keys to bypass authorization mechanisms, potentially leading to unauthorized access or modification of sensitive user information. The CVSS 4.0 base score is 5.3, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact is limited to low confidentiality and integrity impacts, with no availability or other impacts reported. No known exploits are currently in the wild, and no patches have been linked yet. This vulnerability highlights a critical authorization logic flaw in a widely used TYPO3 extension, which could be exploited remotely by authenticated users with limited privileges to escalate their access rights and alter user data improperly.

For European organizations using TYPO3 with the femanager extension, this vulnerability poses a risk of unauthorized modification of user data, which could lead to data integrity issues, privacy violations, and potential compliance breaches under regulations such as GDPR. Attackers exploiting this flaw could alter user profiles, potentially leading to privilege escalation or manipulation of user-related workflows. This could affect customer trust, lead to reputational damage, and incur regulatory penalties if personal data is compromised or altered without authorization. Since TYPO3 is popular among European public sector entities, educational institutions, and SMEs, the impact could be significant in these sectors. The vulnerability's network attack vector and lack of required user interaction increase the risk of exploitation in environments where femanager is deployed without adequate access controls or monitoring.

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict access permissions for femanager users, ensuring the principle of least privilege is enforced. 2) Monitor and audit user modification activities within TYPO3 to detect unauthorized changes promptly. 3) Apply any available patches or updates from TYPO3 or femanager maintainers as soon as they are released. 4) Implement additional authorization checks at the application level to validate user keys and prevent unauthorized access. 5) Consider temporarily disabling the femanager extension if it is not critical or if a patch is not yet available. 6) Conduct a thorough security review of all TYPO3 extensions to identify similar authorization bypass risks. 7) Educate administrators and developers about secure coding practices related to authorization and input validation to prevent recurrence.