GHSA-g8rg-7rpr-cwr2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g8rg-7rpr-cwr2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-g8rg-7rpr-cwr2/GHSA-g8rg-7rpr-cwr2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g8rg-7rpr-cwr2
- Aliases
- Published
- 2020-09-02T18:03:26Z
- Modified
- 2023-11-08T04:03:09.360126Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Information Disclosure in TYPO3 extension sf_event_mgt
- Details
-
A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure.
Another missing access check in the backend module allows an authenticated backend user to send emails to event participants for events which the user does not have access to, resulting in Broken Access Control.
External reference: https://typo3.org/security/advisory/typo3-ext-sa-2020-017
- Database specific
{ "nvd_published_at": "2020-09-02T17:15:00Z", "github_reviewed_at": "2020-09-02T18:03:13Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-863" ] }- References
-
- https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-g8rg-7rpr-cwr2
- https://nvd.nist.gov/vuln/detail/CVE-2020-25026
- https://github.com/derhansen/sf_event_mgt/commit/17edcbf608b252cc1123e1279f0735f6aa28fef4
- https://packagist.org/packages/derhansen/sf_event_mgt
- https://typo3.org/help/security-advisories
- https://typo3.org/security/advisory/typo3-ext-sa-2020-017
Affected packages
Packagist / derhansen/sf_event_mgt
Package
- Name
- derhansen/sf_event_mgt
- Purl
- pkg:composer/derhansen/sf_event_mgt
Packagist / derhansen/sf_event_mgt
Package
- Name
- derhansen/sf_event_mgt
- Purl
- pkg:composer/derhansen/sf_event_mgt