Home

Description

An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.

PUBLISHED Reserved 2025-09-07 | Published 2025-09-09 | Updated 2025-09-09 | Assigner TYPO3




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Product status

Default status
unaffected

9.0.0 (semver) before 9.5.55
affected

10.0.0 (semver) before 10.4.54
affected

11.0.0 (semver) before 11.5.48
affected

12.0.0 (semver) before 12.4.37
affected

13.0.0 (semver) before 13.4.18
affected

Credits

Oliver Hader reporter

Benjamin Franzke remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2025-017 vendor-advisory

cve.org (CVE-2025-59013)

nvd.nist.gov (CVE-2025-59013)

Download JSON