GHSA-j8vm-7q52-2m2m

Source

https://github.com/advisories/GHSA-j8vm-7q52-2m2m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-j8vm-7q52-2m2m/GHSA-j8vm-7q52-2m2m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-j8vm-7q52-2m2m

Aliases

CVE-2025-59019

Published

2025-09-09T09:31:13Z

Modified

2025-09-09T20:44:41.750466Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

TYPO3 CSV download feature information disclosure

Details

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-09-09T09:15:41Z",
    "github_reviewed_at": "2025-09-09T20:11:38Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE"
}

References

Affected packages

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.0.0

Fixed

12.4.37

Affected versions

v12.*

v12.0.0

v12.1.0

v12.1.1

v12.1.2

v12.1.3

v12.2.0

v12.3.0

v12.4.0

v12.4.1

v12.4.2

v12.4.3

v12.4.4

v12.4.5

v12.4.6

v12.4.7

v12.4.8

v12.4.9

v12.4.10

v12.4.11

v12.4.12

v12.4.13

v12.4.14

v12.4.15

v12.4.16

v12.4.17

v12.4.18

v12.4.19

v12.4.20

v12.4.21

v12.4.22

v12.4.23

v12.4.24

v12.4.25

v12.4.26

v12.4.27

v12.4.28

v12.4.29

v12.4.30

v12.4.31

v12.4.32

v12.4.33

v12.4.34

v12.4.35

v12.4.36

Packagist / typo3/cms-backend

Package

Name: typo3/cms-backend
Purl: pkg:composer/typo3/cms-backend

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.4.18

Affected versions

v13.*

v13.0.0

v13.0.1

v13.1.0

v13.1.1

v13.2.1

v13.3.0

v13.3.1

v13.4.0

v13.4.1

v13.4.2

v13.4.3

v13.4.4

v13.4.5

v13.4.6

v13.4.7

v13.4.8

v13.4.9

v13.4.10

v13.4.11

v13.4.12

v13.4.13

v13.4.14

v13.4.15

v13.4.16

v13.4.17

Packagist / typo3/cms-recordlist

Package

Name: typo3/cms-recordlist
Purl: pkg:composer/typo3/cms-recordlist

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

12.4.37

Affected versions

v11.*

v11.0.0

v11.1.0

v11.1.1

v11.2.0

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.4.0

v11.5.0

v11.5.1

v11.5.2

v11.5.3

v11.5.4

v11.5.5

v11.5.6

v11.5.7

v11.5.8

v11.5.9

v11.5.10

v11.5.11

v11.5.12

v11.5.13

v11.5.14

v11.5.15

v11.5.16

v11.5.17

v11.5.18

v11.5.19

v11.5.20

v11.5.21

v11.5.22

v11.5.23

v11.5.24

v11.5.25

v11.5.26

v11.5.27

v11.5.28

v11.5.29

v11.5.30

v11.5.31

v11.5.32

v11.5.33

v11.5.34

v11.5.35

v11.5.36

v11.5.37

v11.5.38

v11.5.39

v11.5.40

v11.5.41

Database specific

{
    "last_known_affected_version_range": "< 11.5.48"
}