CVE-2024-24751 - Vulnerability Details - OpenCVE

ReportizFlow

sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this->redirect()` function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Derhansen	Event Management And Registration

Configuration 1 [-]

cpe:2.3:a:derhansen:event_management_and_registration:7.0.0:*:*:*:*:typo3:*:*

No data.

References

Link	Providers
https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c
https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j

History

Fri, 18 Oct 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Derhansen Derhansen event Management And Registration
CPEs		cpe:2.3:a:derhansen:event_management_and_registration:7.0.0:::::typo3::
Vendors & Products		Derhansen Derhansen event Management And Registration

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-13T18:30:38.670Z

Updated: 2024-08-01T23:28:12.712Z

Reserved: 2024-01-29T20:51:26.009Z

Link: CVE-2024-24751

Vulnrichment

Updated: 2024-08-01T23:28:12.712Z

NVD

Status : Modified

Published: 2024-02-13T19:15:10.950

Modified: 2024-11-21T08:59:37.407

Link: CVE-2024-24751

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24751", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-29T20:51:26.009Z", "datePublished": "2024-02-13T18:30:38.670Z", "dateUpdated": "2024-08-01T23:28:12.712Z"}, "containers": {"cna": {"title": "Broken Access Control in Backend Module in sf_event_mgt", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j"}, {"name": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c", "tags": ["x_refsource_MISC"], "url": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c"}], "affected": [{"vendor": "derhansen", "product": "sf_event_mgt", "versions": [{"version": ">= 7.0.0, < 7.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-13T18:30:38.670Z"}, "descriptions": [{"lang": "en", "value": "sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this->redirect()` function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-4576-pgh2-g34j", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-15T16:23:48.302356Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:57.010Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.712Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j"}, {"name": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j", "name": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c", "name": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.712Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-15T16:23:48.302356Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:10.302Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Broken Access Control in Backend Module in sf_event_mgt", "source": {"advisory": "GHSA-4576-pgh2-g34j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "derhansen", "product": "sf_event_mgt", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.4.0"}]}], "references": [{"url": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j", "name": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c", "name": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this->redirect()` function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-13T18:30:38.670Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24751", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:28:12.712Z", "dateReserved": "2024-01-29T20:51:26.009Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-13T18:30:38.670Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:derhansen:event_management_and_registration:7.0.0:*:*:*:*:typo3:*:*", "matchCriteriaId": "F9EDEEAA-E3A5-4F9E-8B6F-76CBB5C0500F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this->redirect()` function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "sf_event_mgt es una extensi\u00f3n de registro y gesti\u00f3n de eventos para TYPO3 CMS basada en ExtBase y Fluid. En las versiones afectadas, la verificaci\u00f3n de control de acceso existente para eventos en el m\u00f3dulo backend se rompi\u00f3 durante la actualizaci\u00f3n de la extensi\u00f3n a TYPO3 12.4, porque la funci\u00f3n `RedirectResponse` de la funci\u00f3n `$this->redirect()` nunca se manej\u00f3. Este problema se solucion\u00f3 en la versi\u00f3n 7.4.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-24751", "lastModified": "2024-11-21T08:59:37.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-02-13T19:15:10.950", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34j"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Primary"}]}