Description
An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.
References (1)
Core 1
Core References
Vendor Advisory
https://typo3.org/security/advisory/typo3-ext-sa-2024-003
Scores
CVSS v3
5.4
EPSS
0.0029
EPSS Percentile
20.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-693
Status
published
Products (1)
jweiland/events2
0 - 8.3.8Packagist
Published
Jun 21, 2024
Tracked Since
Feb 18, 2026