Lucene search

GitHub Advisory DatabaseGHSA-CCHP-3RQ6-69WJ

HistoryJun 21, 2024 - 9:30 a.m.

events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

2024-06-2109:30:26

CWE-639

GitHub Advisory Database

github.com

typo3

extension

idor

vulnerability

access checks

management plugin

unauthenticated users

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.

Affected configurations

Vulners

Node

jweilandevents2Range<9.0.6

jweilandevents2Range<8.3.8

CPENameOperatorVersion
jweiland/events2lt9.0.6
jweiland/events2lt8.3.8

CPE	Name	Operator	Version
	jweiland/events2	lt	9.0.6
	jweiland/events2	lt	8.3.8

References

github.com/advisories/GHSA-cchp-3rq6-69wj

github.com/FriendsOfPHP/security-advisories/blob/master/jweiland/events2/CVE-2024-38874.yaml

nvd.nist.gov/vuln/detail/CVE-2024-38874

typo3.org/security/advisory/typo3-ext-sa-2024-003

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for GHSA-CCHP-3RQ6-69WJ