CVE-2025-59018

Summary

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.

Affected Software

VendorProductVersion RangeStatus
TYPO3TYPO3 CMS9.0.0 < 9.5.55affected
TYPO3TYPO3 CMS10.0.0 < 10.4.54affected
TYPO3TYPO3 CMS11.0.0 < 11.5.48affected
TYPO3TYPO3 CMS12.0.0 < 12.4.37affected
TYPO3TYPO3 CMS13.0.0 < 13.4.18affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References