The sf_event_mgt (aka Event management and registration) extension before 4.3.1 and 5.x before 5.1.1 for TYPO3 allows Information Disclosure (participant data, and event data via email) because of Broken Access Control.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25026
Reference (s):
- https://typo3.org/security/advisory/typo3-ext-sa-2020-017
- https://typo3.org/help/security-advisories