Home

Description

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

PUBLISHED Reserved 2025-09-07 | Published 2025-09-09 | Updated 2025-09-11 | Assigner TYPO3




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

12.0.0 (semver) before 12.4.37
affected

13.0.0 (semver) before 13.4.18
affected

Default status
unaffected

11.0.0 (semver) before 11.5.48
affected

Credits

Oliver Hader reporter

Benjamin Franzke remediation developer

References

typo3.org/security/advisory/typo3-core-sa-2025-023 vendor-advisory

cve.org (CVE-2025-59019)

nvd.nist.gov (CVE-2025-59019)

Download JSON