CVE-2020-25026

Name of the Vulnerable Software and Affected Versions TYPO3 sf event mgt extension versions prior to 4.3.1 TYPO3 sf event mgt extension versions 5.x prior to 5.1.1

Description The issue allows Information Disclosure due to Broken Access Control, affecting participant data and event data via email. A missing access check in the backend module enables an authenticated backend user to export participant data for events they do not have access to. Another missing access check allows an authenticated backend user to send emails to event participants for events they do not have access to.

Recommendations For versions prior to 4.3.1, update to version 4.3.1 or later. For versions 5.x prior to 5.1.1, update to version 5.1.1 or later. As a temporary workaround, consider restricting access to the backend module to minimize the risk of exploitation.