A missing access check in the backend module allows an authenticated backend user to export participant data for events which the user does not have access to, resulting in Information Disclosure.
Another missing access check in the backend module allows an authenticated backend user to send emails to event participants for events which the user does not have access to, resulting in Broken Access Control.
External reference: https://typo3.org/security/advisory/typo3-ext-sa-2020-017
github.com/derhansen/sf_event_mgt/commit/17edcbf608b252cc1123e1279f0735f6aa28fef4
github.com/derhansen/sf_event_mgt/security/advisories/GHSA-g8rg-7rpr-cwr2
nvd.nist.gov/vuln/detail/CVE-2020-25026
packagist.org/packages/derhansen/sf_event_mgt
typo3.org/help/security-advisories
typo3.org/security/advisory/typo3-ext-sa-2020-017