CVE-2025-59021

Summary

Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs – facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1.

Affected Software

VendorProductVersion RangeStatus
TYPO3TYPO3 CMS10.0.0 < 10.4.55affected
TYPO3TYPO3 CMS11.0.0 < 11.5.49affected
TYPO3TYPO3 CMS12.0.0 < 12.4.41affected
TYPO3TYPO3 CMS13.0.0 < 13.4.23affected
TYPO3TYPO3 CMS14.0.0 < 14.0.2affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References