GHSA-g8rg-7rpr-cwr2

Suggest an improvement
Source
https://github.com/advisories/GHSA-g8rg-7rpr-cwr2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-g8rg-7rpr-cwr2/GHSA-g8rg-7rpr-cwr2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-g8rg-7rpr-cwr2
Aliases
Published
2020-09-02T18:03:26Z
Modified
2023-11-01T04:52:37.636784Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Information Disclosure in TYPO3 extension sf_event_mgt
Details

A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure.

Another missing access check in the backend module allows an authenticated backend user to send emails to event participants for events which the user does not have access to, resulting in Broken Access Control.

External reference: https://typo3.org/security/advisory/typo3-ext-sa-2020-017

Database specific
{
    "nvd_published_at": "2020-09-02T17:15:00Z",
    "github_reviewed_at": "2020-09-02T18:03:13Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Packagist / derhansen/sf_event_mgt

Package

Name
derhansen/sf_event_mgt
Purl
pkg:composer/derhansen/sf_event_mgt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.1

Affected versions

1.*

1.2.0
1.4.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.8.0
1.8.1

2.*

2.0.0
2.1.0

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8

4.*

4.0.0
4.0.1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.2.1
4.2.2
4.3.0

Packagist / derhansen/sf_event_mgt

Package

Name
derhansen/sf_event_mgt
Purl
pkg:composer/derhansen/sf_event_mgt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.1.1

Affected versions

5.*

5.0.0
5.0.1
5.1.0