cvelistv5 - cve-2025-59017

CVE-2025-59017 (GCVE-0-2025-59017)

Vulnerability from cvelistv5

Published

2025-09-09 09:01

Modified

2025-09-09 19:30

Severity ?

5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE

CWE-862 - Missing Authorization

Summary

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

References

▼	URL	Tags
	f4fb688c-4412-4426-b4b8-421ecf27b14a	https://typo3.org/security/advisory/typo3-core-sa-2025-021	Vendor Advisory

Impacted products

Vendor

Product

Version

▼

TYPO3

TYPO3 CMS

Version: 9.0.0   ≤
Version: 10.0.0   ≤
Version: 11.0.0   ≤
Version: 12.0.0   ≤
Version: 13.0.0   ≤

TYPO3	TYPO3 CMS	Version: 9.0.0 ≤ Version: 10.0.0 ≤ Version: 11.0.0 ≤ Version: 12.0.0 ≤ Version: 13.0.0 ≤
TYPO3	TYPO3 CMS	Version: 10.0.0 ≤ Version: 11.0.0 ≤ Version: 12.0.0 ≤ Version: 13.0.0 ≤
TYPO3	TYPO3 CMS	Version: 9.0.0 ≤ Version: 10.0.0 ≤ Version: 11.0.0 ≤ Version: 12.0.0 ≤ Version: 13.0.0 ≤
TYPO3	TYPO3 CMS	Version: 9.0.0 ≤ Version: 10.0.0 ≤ Version: 11.0.0 ≤ Version: 12.0.0 ≤ Version: 13.0.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59017",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-09T19:30:08.547495Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-09T19:30:15.708Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "modules": [
            "Backend"
          ],
          "packageName": "typo3/cms-backend",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "9.5.55",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.4.54",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.48",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.37",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.4.18",
              "status": "affected",
              "version": "13.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "modules": [
            "Backend User"
          ],
          "packageName": "typo3/cms-beuser",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "9.5.55",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.4.54",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.48",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.37",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.4.18",
              "status": "affected",
              "version": "13.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "modules": [
            "Dashboard"
          ],
          "packageName": "typo3/cms-dashboard",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "10.4.54",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.48",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.37",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.4.18",
              "status": "affected",
              "version": "13.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "modules": [
            "Recycler"
          ],
          "packageName": "typo3/cms-recycler",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "9.5.55",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.4.54",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.48",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.37",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.4.18",
              "status": "affected",
              "version": "13.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "modules": [
            "Workspaces"
          ],
          "packageName": "typo3/cms-workspaces",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "9.5.55",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.4.54",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.48",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.37",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.4.18",
              "status": "affected",
              "version": "13.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Elias H\u00e4u\u00dfler"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Elias H\u00e4u\u00dfler"
        }
      ],
      "datePublic": "2025-09-09T09:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0\u20119.5.54, 10.0.0\u201110.4.53, 11.0.0\u201111.5.47, 12.0.0\u201112.4.36, and 13.0.0\u201113.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules."
            }
          ],
          "value": "Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0\u20119.5.54, 10.0.0\u201110.4.53, 11.0.0\u201111.5.47, 12.0.0\u201112.4.36, and 13.0.0\u201113.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T09:01:03.951Z",
        "orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "shortName": "TYPO3"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-021"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Broken Access Control in Backend AJAX Routes",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
    "assignerShortName": "TYPO3",
    "cveId": "CVE-2025-59017",
    "datePublished": "2025-09-09T09:01:03.951Z",
    "dateReserved": "2025-09-07T19:01:20.436Z",
    "dateUpdated": "2025-09-09T19:30:15.708Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59017\",\"sourceIdentifier\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"published\":\"2025-09-09T09:15:40.673\",\"lastModified\":\"2025-09-10T13:44:43.430\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0\u20119.5.54, 10.0.0\u201110.4.53, 11.0.0\u201111.5.47, 12.0.0\u201112.4.36, and 13.0.0\u201113.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.55\",\"matchCriteriaId\":\"1E866731-B777-4891-B640-782B989C9D4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.4.54\",\"matchCriteriaId\":\"DECE7F7E-CAF9-4D9A-A2B4-DAEE5254653B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.5.48\",\"matchCriteriaId\":\"0A6E9C36-3060-45FA-978B-902532F7E7FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.4.37\",\"matchCriteriaId\":\"D342CCDE-6D19-4FBA-B44C-271D3E20435B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"13.0.0\",\"versionEndExcluding\":\"13.4.18\",\"matchCriteriaId\":\"3513743D-D6B3-4CDE-A513-52F6E499D681\"}]}]}],\"references\":[{\"url\":\"https://typo3.org/security/advisory/typo3-core-sa-2025-021\",\"source\":\"f4fb688c-4412-4426-b4b8-421ecf27b14a\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\", \"modules\": [\"Backend\"], \"packageName\": \"typo3/cms-backend\", \"product\": \"TYPO3 CMS\", \"repo\": \"https://github.com/TYPO3/typo3\", \"vendor\": \"TYPO3\", \"versions\": [{\"lessThan\": \"9.5.55\", \"status\": \"affected\", \"version\": \"9.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"10.4.54\", \"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"11.5.48\", \"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"12.4.37\", \"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"13.4.18\", \"status\": \"affected\", \"version\": \"13.0.0\", \"versionType\": \"semver\"}]}, {\"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\", \"modules\": [\"Backend User\"], \"packageName\": \"typo3/cms-beuser\", \"product\": \"TYPO3 CMS\", \"repo\": \"https://github.com/TYPO3/typo3\", \"vendor\": \"TYPO3\", \"versions\": [{\"lessThan\": \"9.5.55\", \"status\": \"affected\", \"version\": \"9.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"10.4.54\", \"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"11.5.48\", \"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"12.4.37\", \"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"13.4.18\", \"status\": \"affected\", \"version\": \"13.0.0\", \"versionType\": \"semver\"}]}, {\"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\", \"modules\": [\"Dashboard\"], \"packageName\": \"typo3/cms-dashboard\", \"product\": \"TYPO3 CMS\", \"repo\": \"https://github.com/TYPO3/typo3\", \"vendor\": \"TYPO3\", \"versions\": [{\"lessThan\": \"10.4.54\", \"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"11.5.48\", \"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"12.4.37\", \"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"13.4.18\", \"status\": \"affected\", \"version\": \"13.0.0\", \"versionType\": \"semver\"}]}, {\"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\", \"modules\": [\"Recycler\"], \"packageName\": \"typo3/cms-recycler\", \"product\": \"TYPO3 CMS\", \"repo\": \"https://github.com/TYPO3/typo3\", \"vendor\": \"TYPO3\", \"versions\": [{\"lessThan\": \"9.5.55\", \"status\": \"affected\", \"version\": \"9.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"10.4.54\", \"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"11.5.48\", \"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"12.4.37\", \"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"13.4.18\", \"status\": \"affected\", \"version\": \"13.0.0\", \"versionType\": \"semver\"}]}, {\"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\", \"modules\": [\"Workspaces\"], \"packageName\": \"typo3/cms-workspaces\", \"product\": \"TYPO3 CMS\", \"repo\": \"https://github.com/TYPO3/typo3\", \"vendor\": \"TYPO3\", \"versions\": [{\"lessThan\": \"9.5.55\", \"status\": \"affected\", \"version\": \"9.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"10.4.54\", \"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"11.5.48\", \"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"12.4.37\", \"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\"}, {\"lessThan\": \"13.4.18\", \"status\": \"affected\", \"version\": \"13.0.0\", \"versionType\": \"semver\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Elias H\\u00e4u\\u00dfler\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Elias H\\u00e4u\\u00dfler\"}], \"datePublic\": \"2025-09-09T09:00:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0\\u20119.5.54, 10.0.0\\u201110.4.53, 11.0.0\\u201111.5.47, 12.0.0\\u201112.4.36, and 13.0.0\\u201113.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.\"}], \"value\": \"Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0\\u20119.5.54, 10.0.0\\u201110.4.53, 11.0.0\\u201111.5.47, 12.0.0\\u201112.4.36, and 13.0.0\\u201113.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.\"}], \"metrics\": [{\"cvssV4_0\": {\"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"Safety\": \"NOT_DEFINED\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"attackVector\": \"NETWORK\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"privilegesRequired\": \"LOW\", \"providerUrgency\": \"NOT_DEFINED\", \"subAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\", \"version\": \"4.0\", \"vulnAvailabilityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"f4fb688c-4412-4426-b4b8-421ecf27b14a\", \"shortName\": \"TYPO3\", \"dateUpdated\": \"2025-09-09T09:01:03.951Z\"}, \"references\": [{\"tags\": [\"vendor-advisory\"], \"url\": \"https://typo3.org/security/advisory/typo3-core-sa-2025-021\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Broken Access Control in Backend AJAX Routes\", \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59017\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-09T19:30:08.547495Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-09T19:30:12.423Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59017\", \"assignerOrgId\": \"f4fb688c-4412-4426-b4b8-421ecf27b14a\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"TYPO3\", \"dateReserved\": \"2025-09-07T19:01:20.436Z\", \"datePublished\": \"2025-09-09T09:01:03.951Z\", \"dateUpdated\": \"2025-09-09T19:30:15.708Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

wid-sec-w-2025-2001

Vulnerability from csaf_certbund

Published

2025-09-08 22:00

Modified

2025-09-09 22:00

Summary

TYPO3 Core: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

TYPO3 ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.

Angriff

Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen im TYPO3 Core ausnutzen, um Phishing-Angriffe durchzuführen, vertrauliche Informationen offenzulegen, Daten zu manipulieren, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme

- Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "TYPO3 ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen im TYPO3 Core ausnutzen, um Phishing-Angriffe durchzuf\u00fchren, vertrauliche Informationen offenzulegen, Daten zu manipulieren, Sicherheitsma\u00dfnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2001 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2001.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2001 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2001"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/article/typo3-13418-and-12437-security-releases-published"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-017"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-018"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-019"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-020"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-021"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-022"
      },
      {
        "category": "external",
        "summary": "Typo3 Security Advisory vom 2025-09-08",
        "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-023"
      }
    ],
    "source_lang": "en-US",
    "title": "TYPO3 Core: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-09-09T22:00:00.000+00:00",
      "generator": {
        "date": "2025-09-10T05:07:25.877+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-2001",
      "initial_release_date": "2025-09-08T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-09-08T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-09-09T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2025-27227, EUVD-2025-27226, EUVD-2025-27232, EUVD-2025-27231, EUVD-2025-27230, EUVD-2025-27229, EUVD-2025-27228"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c13.4.18",
                "product": {
                  "name": "TYPO3 Core \u003c13.4.18",
                  "product_id": "T046803"
                }
              },
              {
                "category": "product_version",
                "name": "13.4.18",
                "product": {
                  "name": "TYPO3 Core 13.4.18",
                  "product_id": "T046803-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:13.4.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c12.4.37",
                "product": {
                  "name": "TYPO3 Core \u003c12.4.37",
                  "product_id": "T046804"
                }
              },
              {
                "category": "product_version",
                "name": "12.4.37",
                "product": {
                  "name": "TYPO3 Core 12.4.37",
                  "product_id": "T046804-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:12.4.37"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Core"
          }
        ],
        "category": "vendor",
        "name": "TYPO3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-59013",
      "product_status": {
        "known_affected": [
          "T046804",
          "T046803"
        ]
      },
      "release_date": "2025-09-08T22:00:00.000+00:00",
      "title": "CVE-2025-59013"
    },
    {
      "cve": "CVE-2025-59014",
      "product_status": {
        "known_affected": [
          "T046804",
          "T046803"
        ]
      },
      "release_date": "2025-09-08T22:00:00.000+00:00",
      "title": "CVE-2025-59014"
    },
    {
      "cve": "CVE-2025-59015",
      "product_status": {
        "known_affected": [
          "T046804",
          "T046803"
        ]
      },
      "release_date": "2025-09-08T22:00:00.000+00:00",
      "title": "CVE-2025-59015"
    },
    {
      "cve": "CVE-2025-59016",
      "product_status": {
        "known_affected": [
          "T046804",
          "T046803"
        ]
      },
      "release_date": "2025-09-08T22:00:00.000+00:00",
      "title": "CVE-2025-59016"
    },
    {
      "cve": "CVE-2025-59017",
      "product_status": {
        "known_affected": [
          "T046804",
          "T046803"
        ]
      },
      "release_date": "2025-09-08T22:00:00.000+00:00",
      "title": "CVE-2025-59017"
    },
    {
      "cve": "CVE-2025-59018",
      "product_status": {
        "known_affected": [
          "T046804",
          "T046803"
        ]
      },
      "release_date": "2025-09-08T22:00:00.000+00:00",
      "title": "CVE-2025-59018"
    },
    {
      "cve": "CVE-2025-59019",
      "product_status": {
        "known_affected": [
          "T046804",
          "T046803"
        ]
      },
      "release_date": "2025-09-08T22:00:00.000+00:00",
      "title": "CVE-2025-59019"
    }
  ]
}

ghsa-2fhw-2j7m-mr4m

Vulnerability from github

Published

2025-09-09 09:31

Modified

2025-09-09 20:11

Severity ?

5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

TYPO3 backend modules have Broken Access Control

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 9.5.55"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-workspaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.4.54"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-workspaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 11.5.48"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-workspaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-workspaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-workspaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 9.5.55"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.4.54"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 11.5.48"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-recycler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.4.54"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-dashboard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 11.5.48"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-dashboard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-dashboard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-dashboard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-beuser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-beuser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 11.5.48"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-beuser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.4.54"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-beuser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 9.5.55"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-beuser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 9.5.55"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.4.54"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 11.5.48"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T20:11:09Z",
    "nvd_published_at": "2025-09-09T09:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0\u20119.5.54, 10.0.0\u201110.4.53, 11.0.0\u201111.5.47, 12.0.0\u201112.4.36, and 13.0.0\u201113.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.",
  "id": "GHSA-2fhw-2j7m-mr4m",
  "modified": "2025-09-09T20:11:10Z",
  "published": "2025-09-09T09:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59017"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/backend/commit/0aedf33d910bceafc2ed0e715743cc0d30124501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/beuser/commit/eb9b0c14a514a7aada8a2aa30e57696e286044c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/dashboard/commit/582006c6bdf251160001eee6624901baccdcfcd2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/recycler/commit/43475578eb1d9fa3b765537c96bcdf48582ee53b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/workspaces/commit/32222508043940f9073c338d4205c730a2e02070"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TYPO3 backend modules have Broken Access Control"
}

fkie_cve-2025-59017

Vulnerability from fkie_nvd

Published

2025-09-09 09:15

Modified

2025-09-10 13:44

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	f4fb688c-4412-4426-b4b8-421ecf27b14a	https://typo3.org/security/advisory/typo3-core-sa-2025-021	Vendor Advisory

Impacted products

Vendor	Product	Version
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*
typo3	typo3	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E866731-B777-4891-B640-782B989C9D4C",
              "versionEndExcluding": "9.5.55",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DECE7F7E-CAF9-4D9A-A2B4-DAEE5254653B",
              "versionEndExcluding": "10.4.54",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A6E9C36-3060-45FA-978B-902532F7E7FF",
              "versionEndExcluding": "11.5.48",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D342CCDE-6D19-4FBA-B44C-271D3E20435B",
              "versionEndExcluding": "12.4.37",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3513743D-D6B3-4CDE-A513-52F6E499D681",
              "versionEndExcluding": "13.4.18",
              "versionStartIncluding": "13.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0\u20119.5.54, 10.0.0\u201110.4.53, 11.0.0\u201111.5.47, 12.0.0\u201112.4.36, and 13.0.0\u201113.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules."
    }
  ],
  "id": "CVE-2025-59017",
  "lastModified": "2025-09-10T13:44:43.430",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-09T09:15:40.673",
  "references": [
    {
      "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-021"
    }
  ],
  "sourceIdentifier": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-59017 (GCVE-0-2025-59017)

Vulnerability from cvelistv5

wid-sec-w-2025-2001

Vulnerability from csaf_certbund

ghsa-2fhw-2j7m-mr4m

Vulnerability from github

fkie_cve-2025-59017

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature