CVE-2024-38874: events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

June 21, 2024 (updated March 24, 2025)

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.

References

github.com/FriendsOfPHP/security-advisories/blob/master/jweiland/events2/CVE-2024-38874.yaml
github.com/advisories/GHSA-cchp-3rq6-69wj
github.com/jweiland-net/events2
nvd.nist.gov/vuln/detail/CVE-2024-38874
typo3.org/security/advisory/typo3-ext-sa-2024-003

Code Behaviors & Features

Detect and mitigate CVE-2024-38874 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →