CVE-2025-59017

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-59017

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59017.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-59017

Aliases

GHSA-2fhw-2j7m-mr4m

Published

2025-09-09T09:15:40Z

Modified

2025-09-11T04:46:07.642048Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

References

https://typo3.org/security/advisory/typo3-core-sa-2025-021

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type: GIT
Repo: https://github.com/typo3/typo3
Events: Introduced

fd8745e46bb11773e85524b8ee9650dabe340713

Fixed

34025c4b1658dffd995206bbf507124b6e357e89

Type: GIT
Repo: https://github.com/typo3/typo3.cms
Events: Introduced

36096733dea4bd6f6168209609fa879dc25c0138

Fixed

fa6ceeff93eb36ad5e8b36abe4ca2b1644706304

Affected versions

v12.*

v12.0.0

v12.1.0

v12.2.0

v12.3.0

v12.4.0

v12.4.1

v12.4.10

v12.4.11

v12.4.12

v12.4.13

v12.4.14

v12.4.15

v12.4.16

v12.4.17

v12.4.18

v12.4.19

v12.4.2

v12.4.20

v12.4.21

v12.4.22

v12.4.23

v12.4.24

v12.4.25

v12.4.26

v12.4.27

v12.4.28

v12.4.29

v12.4.3

v12.4.30

v12.4.31

v12.4.32

v12.4.33

v12.4.34

v12.4.35

v12.4.36

v12.4.4

v12.4.5

v12.4.6

v12.4.7

v12.4.8

v12.4.9

v13.*

v13.0.0

v13.1.0

v13.2.0

v13.2.1

v13.3.0

v13.4.0

v13.4.1

v13.4.10

v13.4.11

v13.4.12

v13.4.13

v13.4.14

v13.4.15

v13.4.16

v13.4.17

v13.4.2

v13.4.3

v13.4.4

v13.4.5

v13.4.6

v13.4.7

v13.4.8

v13.4.9