CVE-2020-25026 – derhansen/sf_event_mgt

Package

Manager: composer
Name: derhansen/sf_event_mgt
Vulnerable Version: >=0 <4.3.1 || >=5.0.0 <5.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00197 pctl0.41891

Details

Information Disclosure in TYPO3 extension sf_event_mgt A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure. Another missing access check in the backend module allows an authenticated backend user to send emails to event participants for events which the user does not have access to, resulting in Broken Access Control. External reference: [https://typo3.org/security/advisory/typo3-ext-sa-2020-017](https://typo3.org/security/advisory/typo3-ext-sa-2020-017)

Metadata

Created: 2020-09-02T18:03:26Z
Modified: 2021-08-02T14:33:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-g8rg-7rpr-cwr2/GHSA-g8rg-7rpr-cwr2.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-g8rg-7rpr-cwr2
Finding: F006
Auto approve: 1