Описание
Information Disclosure in TYPO3 extension sf_event_mgt
A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure.
Another missing access check in the backend module allows an authenticated backend user to send emails to event participants for events which the user does not have access to, resulting in Broken Access Control.
External reference: https://typo3.org/security/advisory/typo3-ext-sa-2020-017
Ссылки
- https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-g8rg-7rpr-cwr2
- https://nvd.nist.gov/vuln/detail/CVE-2020-25026
- https://github.com/derhansen/sf_event_mgt/commit/17edcbf608b252cc1123e1279f0735f6aa28fef4
- https://packagist.org/packages/derhansen/sf_event_mgt
- https://typo3.org/help/security-advisories
- https://typo3.org/security/advisory/typo3-ext-sa-2020-017
Пакеты
derhansen/sf_event_mgt
< 4.3.1
4.3.1
derhansen/sf_event_mgt
>= 5.0.0, < 5.1.1
5.1.1
Связанные уязвимости
The sf_event_mgt (aka Event management and registration) extension before 4.3.1 and 5.x before 5.1.1 for TYPO3 allows Information Disclosure (participant data, and event data via email) because of Broken Access Control.