CVE-2025-59019

Summary

Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them.

Affected Software

VendorProductVersion RangeStatus
TYPO3TYPO3 CMS12.0.0 < 12.4.37affected
TYPO3TYPO3 CMS13.0.0 < 13.4.18affected
TYPO3TYPO3 CMS11.0.0 < 11.5.48affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References