CVE-2025-47937 — Incorrect Authorization in Typo3

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

5.3MEDIUMNVD

CNA3.7

EPSS

0.2%

top 57.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Typo3 Typo3 Cms-core

Timeline

PublishedMay 20

Description

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDtypo3/typo39.0.0 — 9.5.51+4

▶Packagisttypo3/cms-core9.0.0 — 9.5.51+4

▶CVEListV5typo3/typo35 versions+4

🔴Vulnerability Details

OSV

TYPO3 Allows Information Disclosure via DBAL Restriction Handling↗2025-05-20

▶

CVEList

TYPO3 Vulnerable to Information Disclosure via DBAL Restriction Handling↗2025-05-20

▶

GHSA

TYPO3 Allows Information Disclosure via DBAL Restriction Handling↗2025-05-20

▶