Broken Access Control in Backend Module in sf_event_mgt
Description
Broken access control in sf_event_mgt TYPO3 extension allows unauthorized backend users to access event management actions due to unhandled redirect response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Broken access control in sf_event_mgt TYPO3 extension allows unauthorized backend users to access event management actions due to unhandled redirect response.
Root
Cause
During the update of sf_event_mgt to TYPO3 12.4, the existing access control check for events in the backend module was broken. The $this->redirect() function in the checkEventAccess() method returned a RedirectResponse, but it was not handled by the calling code. This allowed execution to continue even when access was denied, effectively bypassing the authorization check [1][4].
Exploitation
An authenticated backend user with insufficient privileges can exploit this vulnerability by sending crafted requests to restricted actions such as exportAction, notifyAction, or indexNotifyAction. The commit fix shows that the code originally did not check the return value of checkEventAccess() and continued to process the request [3]. After the fix, the methods return a redirect response if access is denied, preventing further execution.
Impact
Successful exploitation allows an attacker to view, export, or modify event registrations and notifications. This could lead to unauthorized disclosure of registration data, manipulation of event settings, and potential privilege escalation within the backend module [1][4].
Mitigation
The vulnerability is fixed in version 7.4.0 of the extension. Users are advised to upgrade immediately. There are no known workarounds for this issue [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
derhansen/sf_event_mgtPackagist | >= 7.0.0, < 7.4.0 | 7.4.0 |
Affected products
2- derhansen/sf_event_mgtv5Range: >= 7.0.0, < 7.4.0
Patches
1a08c2cd48695Merge branch 'task/security-fix-admin-module'
2 files changed · +16 −11
Classes/Controller/AdministrationController.php+14 −8 modified@@ -311,8 +311,7 @@ public function exportAction(int $eventUid): void { /** @var Event $event */ $event = $this->eventRepository->findByUidIncludeHidden($eventUid); - if ($event !== null) { - $this->checkEventAccess($event); + if ($event !== null && $this->checkEventAccess($event)) { $this->exportService->downloadRegistrationsCsv($eventUid, $this->settings['csvExport'] ?? []); } exit(); @@ -339,7 +338,10 @@ public function handleExpiredRegistrationsAction(): ResponseInterface */ public function indexNotifyAction(Event $event): ResponseInterface { - $this->checkEventAccess($event); + if (!$this->checkEventAccess($event)) { + return $this->redirect('list'); + } + $customNotification = GeneralUtility::makeInstance(CustomNotification::class); $customNotifications = $this->settingsService->getCustomNotifications($this->settings); $logEntries = $this->customNotificationLogRepository->findByEvent($event); @@ -392,7 +394,10 @@ public function getNotificationRecipients(): array */ public function notifyAction(Event $event, CustomNotification $customNotification): ResponseInterface { - $this->checkEventAccess($event); + if (!$this->checkEventAccess($event)) { + return $this->redirect('list'); + } + $customNotifications = $this->settingsService->getCustomNotifications($this->settings); $result = $this->notificationService->sendCustomNotification($event, $customNotification, $this->settings); $this->notificationService->createCustomNotificationLogentry( @@ -410,19 +415,20 @@ public function notifyAction(Event $event, CustomNotification $customNotificatio /** * Checks if the current backend user has access to the PID of the event and if not, enqueue an - * access denied flash message and redirect to list view + * access denied flash message */ - public function checkEventAccess(Event $event): void + public function checkEventAccess(Event $event): bool { if ($this->getBackendUser()->isInWebMount($event->getPid()) === null) { $this->addFlashMessage( $this->getLanguageService()->sL(self::LANG_FILE . 'administration.accessdenied.content'), $this->getLanguageService()->sL(self::LANG_FILE . 'administration.accessdenied.title'), ContextualFeedbackSeverity::ERROR ); - - $this->redirect('list'); + return false; } + + return true; } /**
Tests/Unit/Controller/AdministrationControllerTest.php+2 −3 modified@@ -371,15 +371,14 @@ public function notifyActionSendsNotificationsLogsAndRedirects(): void /** * @test */ - public function checkEventAccessRedirectsToListViewIfNoEventAccess(): void + public function checkEventAccessReturnsFalseIfNoEventAccess(): void { $event = new Event(); $mockBackendUser = $this->getMockBuilder(BackendUserAuthentication::class)->getMock(); $mockBackendUser->expects(self::once())->method('isInWebMount')->willReturn(null); $GLOBALS['BE_USER'] = $mockBackendUser; - $this->subject->expects(self::once())->method('redirect'); - $this->subject->checkEventAccess($event); + self::assertFalse($this->subject->checkEventAccess($event)); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4576-pgh2-g34jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24751ghsaADVISORY
- github.com/derhansen/sf_event_mgt/commit/a08c2cd48695c07e462d15eeb70434ddc0206e4cghsax_refsource_MISCWEB
- github.com/derhansen/sf_event_mgt/security/advisories/GHSA-4576-pgh2-g34jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.