CVE-2025-47937
published 2025-05-20CVE-2025-47937: TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.25%
16.6th percentile
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the first table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typo3 | cms-core | >= 10.0.0 < 10.4.50 | 10.4.50 |
| typo3 | cms-core | >= 11.0.0 < 11.5.44 | 11.5.44 |
| typo3 | cms-core | >= 12.0.0 < 12.4.31 | 12.4.31 |
| typo3 | cms-core | >= 13.0.0 < 13.4.12 | 13.4.12 |
| typo3 | cms-core | >= 9.0.0 < 9.5.51 | 9.5.51 |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | — | — |
| typo3 | typo3 | >= 10.0.0 < 10.4.50 | 10.4.50 |
| typo3 | typo3 | >= 11.0.0 < 11.5.44 | 11.5.44 |
| typo3 | typo3 | >= 12.0.0 < 12.4.31 | 12.4.31 |
| typo3 | typo3 | >= 13.0.0 < 13.4.12 | 13.4.12 |
| typo3 | typo3 | >= 9.0.0 < 9.5.51 | 9.5.51 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TYPO3 Allows Information Disclosure via DBAL Restriction Handling
osv·2025-05-20
CVE-2025-47937 [LOW] TYPO3 Allows Information Disclosure via DBAL Restriction Handling
TYPO3 Allows Information Disclosure via DBAL Restriction Handling
### Problem
When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users.
### Solution
Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.
### Credits
Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.
GHSA
TYPO3 Allows Information Disclosure via DBAL Restriction Handling
ghsa·2025-05-20
CVE-2025-47937 [LOW] CWE-863 TYPO3 Allows Information Disclosure via DBAL Restriction Handling
TYPO3 Allows Information Disclosure via DBAL Restriction Handling
### Problem
When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are only applied via `FrontendGroupRestriction` to the last table. As a result, data from additional tables included in the same query may be unintentionally exposed to unauthorized users.
### Solution
Update to TYPO3 versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, 13.4.12 LTS that fix the problem described.
### Credits
Thanks to Christian Futterlieb for reporting this issue, and to TYPO3 security team member Elias Häußler for fixing it.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-20
Published