Home

Description

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

PUBLISHED Reserved 2025-09-07 | Published 2025-09-09 | Updated 2025-09-09 | Assigner TYPO3




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

9.0.0 (semver) before 9.5.55
affected

10.0.0 (semver) before 10.4.54
affected

11.0.0 (semver) before 11.5.48
affected

12.0.0 (semver) before 12.4.37
affected

13.0.0 (semver) before 13.4.18
affected

Default status
unaffected

9.0.0 (semver) before 9.5.55
affected

10.0.0 (semver) before 10.4.54
affected

11.0.0 (semver) before 11.5.48
affected

12.0.0 (semver) before 12.4.37
affected

13.0.0 (semver) before 13.4.18
affected

Default status
unaffected

10.0.0 (semver) before 10.4.54
affected

11.0.0 (semver) before 11.5.48
affected

12.0.0 (semver) before 12.4.37
affected

13.0.0 (semver) before 13.4.18
affected

Default status
unaffected

9.0.0 (semver) before 9.5.55
affected

10.0.0 (semver) before 10.4.54
affected

11.0.0 (semver) before 11.5.48
affected

12.0.0 (semver) before 12.4.37
affected

13.0.0 (semver) before 13.4.18
affected

Default status
unaffected

9.0.0 (semver) before 9.5.55
affected

10.0.0 (semver) before 10.4.54
affected

11.0.0 (semver) before 11.5.48
affected

12.0.0 (semver) before 12.4.37
affected

13.0.0 (semver) before 13.4.18
affected

Credits

Elias Häußler reporter

Elias Häußler remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2025-021 vendor-advisory

cve.org (CVE-2025-59017)

nvd.nist.gov (CVE-2025-59017)

Download JSON