HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2025-59018

CVSS 7.1v4.0pub. 2025-09-09upd. 2025-09-26

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Typo3

    APP
    Typo3
    9.0.0 – 9.5.55 (bez)10.0.0 – 10.4.54 (bez)11.0.0 – 11.5.48 (bez)12.0.0 – 12.4.37 (bez)13.0.0 – 13.4.18 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2011-3583CRITICAL9.8ten sam produkt

It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are...

CVE-2011-4628CRITICAL9.8ten sam produkt

TYPO3 before 4.3.12, 4.4.x before 4.4.9, and 4.5.x before 4.5.4 allows remote attackers to bypass authenticati...

CVE-2026-6553HIGH7.3ten sam produkt

Changing backend users' passwords via the user settings module results in storing the cleartext password in th...

CVE-2025-59022HIGH7.1ten sam produkt

Backend users who had access to the recycler module could delete arbitrary data from any database table define...

CVE-2025-47941HIGH7.2ten sam produkt

TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4...