PT-2025-22140 · Typo3 · Typo3
Published
2025-05-20
·
Updated
2025-05-20
·
CVE-2025-47938
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions:
TYPO3 versions 9.0.0 through 9.5.50 ELTS
TYPO3 versions 10.0.0 through 10.4.49 ELTS
TYPO3 versions 11.0.0 through 11.5.43 ELTS
TYPO3 versions 12.0.0 through 12.4.30 LTS
TYPO3 versions 13.0.0 through 13.4.11 LTS
Description:
The backend user management interface in TYPO3 allows password changes without requiring the current password, potentially lowering protection against unauthorized access in scenarios where an admin session is hijacked or left unattended. This behavior enables password changes without additional authentication when an administrator updates their own account or modifies other user accounts via the admin interface.
Recommendations:
Update to TYPO3 version 9.5.51 ELTS
Update to TYPO3 version 10.4.50 ELTS
Update to TYPO3 version 11.5.44 ELTS
Update to TYPO3 version 12.4.31 LTS
Update to TYPO3 version 13.4.12 LTS
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typo3