CVE-2025-59017

Summary

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

Affected Software

VendorProductVersion RangeStatus
TYPO3TYPO3 CMS9.0.0 < 9.5.55affected
TYPO3TYPO3 CMS10.0.0 < 10.4.54affected
TYPO3TYPO3 CMS11.0.0 < 11.5.48affected
TYPO3TYPO3 CMS12.0.0 < 12.4.37affected
TYPO3TYPO3 CMS13.0.0 < 13.4.18affected
TYPO3TYPO3 CMS9.0.0 < 9.5.55affected
TYPO3TYPO3 CMS10.0.0 < 10.4.54affected
TYPO3TYPO3 CMS11.0.0 < 11.5.48affected
TYPO3TYPO3 CMS12.0.0 < 12.4.37affected
TYPO3TYPO3 CMS13.0.0 < 13.4.18affected
TYPO3TYPO3 CMS10.0.0 < 10.4.54affected
TYPO3TYPO3 CMS11.0.0 < 11.5.48affected
TYPO3TYPO3 CMS12.0.0 < 12.4.37affected
TYPO3TYPO3 CMS13.0.0 < 13.4.18affected
TYPO3TYPO3 CMS9.0.0 < 9.5.55affected
TYPO3TYPO3 CMS10.0.0 < 10.4.54affected
TYPO3TYPO3 CMS11.0.0 < 11.5.48affected
TYPO3TYPO3 CMS12.0.0 < 12.4.37affected
TYPO3TYPO3 CMS13.0.0 < 13.4.18affected
TYPO3TYPO3 CMS9.0.0 < 9.5.55affected
TYPO3TYPO3 CMS10.0.0 < 10.4.54affected
TYPO3TYPO3 CMS11.0.0 < 11.5.48affected
TYPO3TYPO3 CMS12.0.0 < 12.4.37affected
TYPO3TYPO3 CMS13.0.0 < 13.4.18affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References