4.3

CVSS Score

Basic Information

CVE ID

CVE-2020-25026

GHSA ID

GHSA-g8rg-7rpr-cwr2

EPSS Score

CWE

CWE-863

Published

9/2/2020

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-25026

CVE-2020-25026:
Information Disclosure in TYPO3 extension sf_event_mgt

A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure.

Another missing access check in the backend module allows an authenticated backend user to send emails to event participants for events which the user does not have access to, resulting in Broken Access Control.

External reference: https://typo3.org/security/advisory/typo3-ext-sa-2020-017

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2020-25026

GHSA ID

GHSA-g8rg-7rpr-cwr2

EPSS Score

CWE

CWE-863

Published

9/2/2020

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
derhansen/sf_event_mgt	composer	< 4.3.1	4.3.1
derhansen/sf_event_mgt	composer	>= 5.0.0, < 5.1.1	5.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows these functions were modified to add checkEventAccess() calls in the patched versions. The vulnerability reports explicitly mention missing access checks in backend module functions for data export and email notifications. The pre-patch versions of exportAction and notifyAction lacked the critical permission verification implemented through checkEventAccess(), which validates if the user has webmount access to the event's storage page.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* ****ss ****k in t** ***k*n* mo*ul* *llows *n *ut**nti**t** ***k*n* us*r to *xport p*rti*ip*nt **t* *or *v*nts w*i** t** us*r *o*s not **v* ****ss to, r*sultin* in In*orm*tion *is*losur*. *not**r missin* ****ss ****k in t** ***k*n* mo*ul*

Reasoning

T** *ommit *i** s*ows t**s* *un*tions w*r* mo*i*i** to *** ****k*v*nt****ss() **lls in t** p*t**** v*rsions. T** vuln*r**ility r*ports *xpli*itly m*ntion missin* ****ss ****ks in ***k*n* mo*ul* *un*tions *or **t* *xport *n* *m*il noti*i**tions. T** p

4.3

Basic Information

Concerned about an active attack path?

CVE-2020-25026: Information Disclosure in TYPO3 extension sf_event_mgt

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-25026:
Information Disclosure in TYPO3 extension sf_event_mgt

Vulnerability Intelligence
Miggo AI