Lucene search

GitHub_MCVELIST:CVE-2024-24751

HistoryFeb 13, 2024 - 6:30 p.m.

CVE-2024-24751 Broken Access Control in Backend Module in sf_event_mgt

2024-02-1318:30:38

CWE-284

CWE-863

GitHub_M

www.cve.org

cve-2024-24751

typo3 cms

extbase

fluid

update

version 7.4.0

upgrade

vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the RedirectResponse from the $this->redirect() function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "derhansen",
    "product": "sf_event_mgt",
    "versions": [
      {
        "version": ">= 7.0.0, < 7.4.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c

github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-24751