Miggo Logo
Miggo Vulnerability Database
CVE-2024-38874

CVE-2024-38874:
events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-38874
GHSA ID
GHSA-cchp-3rq6-69wj
EPSS Score
0.55211%
CWE
CWE-639
Published
6/21/2024
Updated
8/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
jweiland/events2composer< 8.3.88.3.8
jweiland/events2composer>= 9.0.0, < 9.0.69.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions missing access checks in the management plugin for activation/deletion operations. In TYPO3 architecture, these operations would typically be handled by controller actions. The combination of user-controlled event IDs (CWE-639) and lack of permission verification in these CRUD operations matches the described attack pattern. The high confidence comes from the direct correlation between the described vulnerability type (IDOR in management plugin) and standard TYPO3 extension patterns where controller actions handle such operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *v*nts* (*k* *v*nts *) *xt*nsion ***or* *.*.* *n* *.x ***or* *.*.* *or TYPO*. Missin* ****ss ****ks in t** m*n***m*nt plu*in l*** to *n ins**ur* *ir**t o*j**t r***r*n** (I*OR) vuln*r**ility wit* t** pot*nti*l to **tiv*t

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions missin* ****ss ****ks in t** m*n***m*nt plu*in *or **tiv*tion/**l*tion op*r*tions. In TYPO* *r**it**tur*, t**s* op*r*tions woul* typi**lly ** **n*l** *y *ontroll*r **tions. T** *om*in*tion o* us*r-*on