PT-2025-36694 · Typo3 · Typo3/Cms
Oliver Hader
·
Published
2025-09-09
·
Updated
2025-09-26
·
CVE-2025-59018
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
TYPO3 CMS versions 9.0.0 through 9.5.54
TYPO3 CMS versions 10.0.0 through 10.4.53
TYPO3 CMS versions 11.0.0 through 11.5.47
TYPO3 CMS versions 12.0.0 through 12.4.36
TYPO3 CMS versions 13.0.0 through 13.4.17
Description:
The Workspace Module in TYPO3 CMS is susceptible to missing authorization checks. This allows backend users to directly invoke the corresponding AJAX backend route, potentially disclosing sensitive information without proper access.
Recommendations:
TYPO3 CMS versions 9.0.0 through 9.5.54: Implement robust authorization checks for the Workspace Module's AJAX backend routes.
TYPO3 CMS versions 10.0.0 through 10.4.53: Implement robust authorization checks for the Workspace Module's AJAX backend routes.
TYPO3 CMS versions 11.0.0 through 11.5.47: Implement robust authorization checks for the Workspace Module's AJAX backend routes.
TYPO3 CMS versions 12.0.0 through 12.4.36: Implement robust authorization checks for the Workspace Module's AJAX backend routes.
TYPO3 CMS versions 13.0.0 through 13.4.17: Implement robust authorization checks for the Workspace Module's AJAX backend routes.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typo3/Cms