CVE-2025-59018

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-59018

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59018.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-59018

Aliases

GHSA-w2pf-7q5w-2cgw

Published

2025-09-09T09:15:40Z

Modified

2025-09-12T09:03:04.612545Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.

References

https://typo3.org/security/advisory/typo3-core-sa-2025-022

Affected packages

Git / github.com/typo3/typo3

Affected ranges

Type: GIT
Repo: https://github.com/typo3/typo3
Events: Introduced

fd8745e46bb11773e85524b8ee9650dabe340713

Fixed

34025c4b1658dffd995206bbf507124b6e357e89

Type: GIT
Repo: https://github.com/typo3/typo3.cms
Events: Introduced

36096733dea4bd6f6168209609fa879dc25c0138

Fixed

fa6ceeff93eb36ad5e8b36abe4ca2b1644706304

Affected versions

v12.*

v12.0.0

v12.1.0

v12.2.0

v12.3.0

v12.4.0

v12.4.1

v12.4.10

v12.4.11

v12.4.12

v12.4.13

v12.4.14

v12.4.15

v12.4.16

v12.4.17

v12.4.18

v12.4.19

v12.4.2

v12.4.20

v12.4.21

v12.4.22

v12.4.23

v12.4.24

v12.4.25

v12.4.26

v12.4.27

v12.4.28

v12.4.29

v12.4.3

v12.4.30

v12.4.31

v12.4.32

v12.4.33

v12.4.34

v12.4.35

v12.4.36

v12.4.4

v12.4.5

v12.4.6

v12.4.7

v12.4.8

v12.4.9

v13.*

v13.0.0

v13.1.0

v13.2.0

v13.2.1

v13.3.0

v13.4.0

v13.4.1

v13.4.10

v13.4.11

v13.4.12

v13.4.13

v13.4.14

v13.4.15

v13.4.16

v13.4.17

v13.4.2

v13.4.3

v13.4.4

v13.4.5

v13.4.6

v13.4.7

v13.4.8

v13.4.9