Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc4cmctN3Jwci1jd3Iy

Information Disclosure in TYPO3 extension sf_event_mgt

A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure.

Another missing access check in the backend module allows an authenticated backend user to send emails to event participants for events which the user does not have access to, resulting in Broken Access Control.

External reference: https://typo3.org/security/advisory/typo3-ext-sa-2020-017

Permalink: https://github.com/advisories/GHSA-g8rg-7rpr-cwr2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc4cmctN3Jwci1jd3Iy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-g8rg-7rpr-cwr2, CVE-2020-25026
References:

• https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-g8rg-7rpr-cwr2
• https://github.com/derhansen/sf_event_mgt/commit/17edcbf608b252cc1123e1279f0735f6aa28fef4
• https://packagist.org/packages/derhansen/sf_event_mgt
• https://typo3.org/security/advisory/typo3-ext-sa-2020-017
• https://nvd.nist.gov/vuln/detail/CVE-2020-25026
• https://typo3.org/help/security-advisories
• https://github.com/advisories/GHSA-g8rg-7rpr-cwr2

Repository: https://github.com/derhansen/sf_event_mgt
Blast Radius: 2.1

Affected Packages